Policy: Notifiable Data Breach

Similar documents
Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act (2018) 15(4) PRIVLB 54

POLICY_POL04_Data Breach DATA BREACH RESPONSE RATIONALE SCOPE RESPONSIBILITY DEFINITIONS POLICY. 1 TLC_policy_POL04_Data Breach_CBA_1.

The Star Entertainment Group Limited

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

A guide to the new privacy landscape for the Commonwealth Government

QRME Australian Privacy Principles (APP) Policy

AUDIT AND RISK COMMITTEE CHARTER. LawFinance Limited (ACN )

Fraud and Corruption Prevention Policy

Aviation Security Identification Card (ASIC) Application Form S002

Board Audit Committee Charter

Sanctions Policy August 2016

The Privacy Policy links to the following Objective contained within the City Plan

Department of Natural Resources and Mines. Personal Identification Information in Property Data Code of Conduct

Telephone No:

AIA Australia Limited

Policies and Procedures

standards for appropriate ethical, responsible and professional behaviours

MEMORANDUM OF UNDERSTANDING

Delegated powers policy

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER NOTICE OF INTENT

Public Interest Disclosures Procedure

Aviation Security Identification Card (ASIC) Application Form S002

APN Funds Management Limited Audit, Risk & Compliance Committee Charter. July 2016

Client Service Agreement

Whistleblowing Policy

Yr Adran Plant, Addysg, Dysgu Gydol Oes a Sgiliau Department for Children, Education, Lifelong Learning and Skills

SHEPHERDS BUSH HOUSING GROUP COMPLAINTS POLICY

Research Governance Committee Charter RESEARCH GOVERNANCE COMMITTEE CHARTER

Corporate Governance Statement

Gas Compliance Reporting Manual. Energy Coordination Act 1994

ETH/PI/POL/3 Original: English UNESCO ANTI HARASSMENT POLICY

Privacy in relation to VET Student Loans

WHISTLEBLOWER POLICY

AUDIT & RISK ASSURANCE COMMITTEE TERMS OF REFERENCE

DISCIPLINARY PROCEDURE FOR TEACHERS NOTES OF GUIDANCE FOR RELEVANT BODIES

Telecommunications Carriers Forum. Code for the Transfer of Telecommunications Services ( The Customer Transfer Code )

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

Ticketing Code of Practice

Schedule Six Discipline Code

LAW ENFORCEMENT ASSISTANCE VODAFONE GLOBAL POLICY STANDARD

Access to Information

Cork City Council Park by Phone Terms and Conditions

The Enforcement Guide

STUDENT DISCIPLINARY PROCEDURE: NON-ACADEMIC MISCONDUCT

MANDATE OF THE HEALTH, SAFETY AND ENVIRONMENT COMMITTEE

MC/15/89 Anti-Fraud Policy and Fraud Response Action Plan

Enforcement guidelines for regulatory investigations. Guidelines

PRIVACY MANAGEMENT PLAN

INFORMATION SHARING AGREEMENT This document is NOT PROTECTIVELY MARKED

Schools' HR model whistleblowing procedure Jan

Data Protection Act 1998 Policy

BREACHES OF INFORMATION SECURITY: A U.S. COMPANY S OBLIGATIONS

Financial Dispute Resolution Service (FDRS)

DISCIPLINARY PROCEDURE FOR TEACHERS INCLUDING PRINCIPALS AND VICE-PRINCIPALS IN GRANT-AIDED SCHOOLS WITH FULLY DELEGATED BUDGETS

Our Lady s Catholic Primary School

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

Technology and the Law. Jackie Charles

Operational Risk and Sustainability Committee (ORSC) Charter

Nova Scotia House of Assembly Policy on the Prevention and Resolution of Harassment in the Workplace (Policy).

Whistle Blowing Policy

DISCIPLINARY PROCEDURE FOR TEACHERS NOTES OF GUIDANCE FOR RELEVANT BODIES

European College of Business and Management Data Protection Policy

Anti-Fraud, Bribery and Corruption Response Policy. Telford and Wrekin Clinical Commissioning Group

Regulations of the Audit, Compliance and Related Party Transactions Committee of Siemens Gamesa Renewable Energy, S.A.

DATED DISCIPLINARY RULES AND PROCEDURE AND GRIEVANCE PROCEDURE

CORPORATE COMPLAINT HANDLING OPERATING GUIDELINE (INCLUDING SECTION 270 INTERNAL REVIEW OF COUNCIL DECISIONS OR GRIEVANCES)

MIAA Anti-Fraud Services Annual Report 2015/2016 Audit Committee (May 2016) NHS Blackpool Clinical Commissioning Group

Anti-Fraud, Bribery and Corruption Policy and Response Plan

TERMS OF REFERENCE INSURANCE & FINANCIAL SERVICES OMBUDSMAN SCHEME INCORPORATED

Malin Corporation plc (the "Company") Terms of reference for the Audit Committee (the Committee ) of the Board of Directors (the Board )

Policy Number:

Anti-Bribery and Corruption Policy

The Speak Up procedure is made available in several languages.

TECHNOLOGY AND DATA PRIVACY. Investigative Powers of the Data Protection Commissioner. by Peter Bolger, Jeanne Kelly

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

CCG CO06: Anti-Fraud, Bribery and Corruption Policy

Proper Handling of Data Correction Request by Data Users 1

Complaints Policy. Director of Operations August 2017

Whistle-blowing Policy

Australasian University Safety Association 2016 Fiona Austin

What Is Criminal Intelligence?

Government Information (Public Access) Act 2009

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Mandate of the Environmental, Health and Safety Committee

Freedom of Information Policy

Cybersecurity Counter-offensive. Asia Pacific Guide

Policy Summary. Overview Why is the policy required? Awareness and legal compliance with Bribery Act is required to minimise risk to UHI and its staff

PRIVACY Policy. 1. Policy Statement. 2. Purpose. 3. Policy

Schools Subject Access Request Procedures

Data Protection Policy. Revisions and Editions Log

.nz Connection Agreement

Coca-Cola European Partners plc Audit Committee Terms of Reference

Data Protection Policy

Medical Council. Corporate Governance Framework. November 2014

1.2 The ABC will apply the following criteria in determining proportionate complaint handling:

Business Management System. Customer Service. Standard Operating Instruction. Date: 14 September Doc No: Title: Complaints & Grievance

MORSES CLUB PLC ( the Company ) Risk and Compliance Committee Terms of Reference

Taking Action When Things Go Wrong

Access to Information and Protection of Privacy Act

Transcription:

DomaCom Limited Policy: Notifiable Data Breach Version 1.1 June 7, 2018 Author: Sean Crisp

Contents 1. Version Control 2 2. Summary 3 3. What is a Data Breach 3 4. Process and Procedure 4 5. Updates to this Procedure 8 6. Contact details 8 7. Staff training 8 1. Version Control Version Date Description 1.0 09/04/2018 Sean s initial draft 1.1 07/06/2018 Peter s final draft 19 Jun 2018 Page 2

2. Summary This document describes the Policy for a potential or actual Data Breach. DomaCom is committed to managing personal information in accordance with the Privacy Act 1988 (Cth) (the Act) and the DomaCom Privacy Policy. This document sets out the processes to be followed by DomaCom staff in the event that DOMACOM experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information. The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act) established a Notifiable Data Breaches (NDB) scheme requiring organisations covered by the Act to notify any individuals likely to be at risk of serious harm by a data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified. Accordingly, DomaCom needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm and whether it constitutes an NDB. Adherence to this Procedure and Response Plan will ensure that DomaCom can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected. This Procedure and Response Plan has been informed by: The OAIC s Guide to developing a data breach response plan The OAIC s Data breach notification guide: a guide to handling personal information security breaches NDB Act The Act and Australian Privacy Principles (Schedule 1 of the Act) This document should be read in conjunction with DomaCom s Privacy Policy. 3. What is a Data Breach There needs to be three distinct criteria for the breach to be an eligible Data Breach. Eligible data breach An eligible data breach arises when the following three criteria are satisfied: 1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds (see, What is a data breach?) 2. this is likely to result in serious harm to one or more individuals (see, Is serious harm likely?), and 3. the entity has not been able to prevent the likely risk of serious harm with remedial action (see, Preventing serious harm with remedial action). What is a data breach? The first step in deciding whether an eligible data breach has occurred involves considering whether there has been a data breach; that is, unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information (s 26WE(2)). The Privacy Act 1988 (Cth) (Privacy Act) does not define these terms. The following analysis and examples draw on the ordinary meaning of these words. 19 Jun 2018 Page 3

Unauthorised access of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party (such as by hacking). Some kinds of personal information may be more likely to cause an individual serious harm if compromised. Examples of the kinds of information that may increase the risk of serious harm if there is a data breach include: sensitive information, such as information about an individual s health documents commonly used for identity fraud (including Medicare card, driver licence, and passport details) financial information a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information is about. The nature of the harm In assessing the risk of serious harm, DomaCom should consider the broad range of potential kinds of harms that may follow a data breach. It may be helpful for entities assessing the likelihood of harm to consider a number of scenarios that would result in serious harm and the likelihood of each. Examples may include: identity theft significant financial loss by the individual threats to an individual s physical safety loss of business or employment opportunities humiliation, damage to reputation or relationships workplace or social bullying or marginalisation. The likelihood of a particular harm occurring, as well as the anticipated consequences for individuals whose personal information is involved in the data breach if the harm materialises, are relevant considerations. 4. Process and Procedure 4.1 Alert Where a privacy data breach is known to have occurred (or is suspected) any member of DomaCom staff who becomes aware of this must, within 24 hours, alert the Chief Executive Officer or the Privacy Officer. The Information that should be provided (if known) at this point includes: a. When the breach occurred (time and date) b. Description of the breach (type of personal information involved) c. Cause of the breach (if known) otherwise how it was discovered d. Which system(s) if any are affected? e. Which part of DomaCom is involved? 19 Jun 2018 Page 4

f. Whether corrective action has occurred to remedy or ameliorate the breach (or suspected breach) A template can be found at Annexure A to assist in documenting the required information. 4.2 Assess and determine the potential impact Once notified of the information above, the Chief Executive Officer or Privacy Officer must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The Privacy Officer should be contacted for advice. 4.3 Criteria for determining whether a privacy data breach has occurred a. Is personal information involved? b. Is the personal information of a sensitive nature? c. Has there been unauthorised access to personal information, or unauthorised disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur? For the purposes of this assessment the following terms are defined in section 9 of the Privacy Policy: personal information, sensitive information, unauthorised access, unauthorised disclosure and loss. 4.4 Criteria for determining severity a. The type and extent of personal information involved b. Whether multiple individuals have been affected c. Whether the information is protected by any security measures (password protection or encryption) d. The person or kinds of people who now have access e. Whether there is (or could there be) a real risk of serious harm to the affected individuals f. Whether there could be media or stakeholder attention as a result of the breach or suspect breach With respect to 4.4(e) above, serious harm could include physical, physiological, emotional, economic/financial or harm to reputation and is defined in section 9 of the Privacy Policy and section c 26WG of the NDB Act. Having considered the matters in 4.1 and 4.2, the Chief Executive Officer must notify the Privacy Officer within 24 hours of being alerted under 4.1. 4.5 Privacy Officer to issue pre-emptive instructions On receipt of the communication by the Chief Executive Officer under 4.2, the Privacy Officer will take a preliminary view as to whether the breach (or suspected breach) may constitute an NDB. Accordingly, the 19 Jun 2018 Page 5

Privacy Officer will issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Data Breach Response Team (Response Team). This will depend on the nature and severity of the breach. 4.5.1 Data breach managed at DomaCom Where the Privacy Officer instructs that the data breach is to be managed at DomaCom, the Chief Executive Officer must: ensure that immediate corrective action is taken, if this has not already occurred (corrective action may include: retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system); and submit a report via the Privacy Officer within 48 hours of receiving instructions under 3.3. The report must contain the following: 1. Description of breach or suspected breach 2. Action taken 3. Outcome of action 4. Processes that have been implemented to prevent a repeat of the situation. 5. Recommendation that no further action is necessary The Privacy Officer will be provided with a copy of the report and will sign-off that no further action is required. The report will be logged by the Privacy Officer. 4.5.2 Data breach managed by the Response Team Where the Privacy Officer instructs that the data breach must be escalated to the Response team, the Privacy Officer will convene the Response Team and notify the Chief Executive Officer. 4.6 Response Team & Duties Response Team Privacy Officer Head of Platform Head of IT CFO COO Primary role of the Response Team There is no single method of responding to a data breach and each incident must be dealt with on a case by case basis by assessing the circumstances and associated risks to inform the appropriate course of action. The following steps may be undertaken by the Response Team (as appropriate): 19 Jun 2018 Page 6

Immediately contain the breach (if this has not already occurred). Corrective action may include: retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system. evaluate the risks associated with the breach, including collecting and documenting all available evidence of the breach having regard for the information outlined in sections 4.1 and 4.2 above. Call upon the expertise of, or consult with, relevant staff in the particular circumstances. Engage an independent cyber security or forensic expert as appropriate. Assess whether serious harm is likely (with reference to section 4.2 above and section 26WG of the NDB Act). Make a recommendation to the Privacy Officer whether this breach constitutes an NDB for the purpose of mandatory reporting to the OAIC and the practicality of notifying affected individuals. Consider developing a communication or media strategy including the timing, content and method of any announcements to students, staff or the media. The Response Team must undertake its assessment within 48 hours of being convened. The Privacy Officer will provide periodic updates to the Chief Executive Officer as deemed appropriate. 4.7 Notification Having regard to the Response team s recommendation in 3.4 above, the Privacy Officer will determine whether there are reasonable grounds to suspect that an NDB has occurred. If there are reasonable grounds, the Privacy Officer must prepare a prescribed statement and provide a copy to the OAIC as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach). A template can be found at Annexure B. If practicable, DomaCom must also notify each individual to whom the relevant personal information relates. Where impracticable, DomaCom must take reasonable steps to publicise the statement (including publishing on the website). The prescribed statement will be logged by the Privacy Officer. 4.8 Secondary Role of the Response Team Once the matters referred to in 4.4 and 4.5 have been dealt with, the Response team should turn attention to the following: Identify lessons learnt and remedial action that can be taken to reduce the likelihood of recurrence this may involve a review of policies, processes, refresher training. Prepare a report for submission to Chief Executive Officer. Consider the option of an audit to ensure necessary outcomes are effected and effective. 19 Jun 2018 Page 7

5. Updates to this Procedure In line with DomaComPolicy, this procedure is scheduled for review every five years or more frequently if appropriate. 5.1 Revisions made to this Procedure Date Major or Minor Revision Description of Revision(s) 6. Contact details Contact for all matters related to privacy, including complaints about breaches of privacy, should be directed as follows: Privacy Officer E: Privacy@domacom.com.au 7. Staff training All staff will receive initial training on how to identify possible data breaches, escalation procedures, reporting lines, members of data breach response team and improving area s of potential weakness. Actions: Review Head of Platform Review Sign off Sign off Sign off Head of IT COO Privacy Officer CEO 19 Jun 2018 Page 8

Annexure A Privacy Policy Data Breach Report Template Where a privacy data breach is known to have occurred (or is suspected) any member of DomaCom staff who becomes aware of this must, within 24 hours, alert the Chief Executive Officer or the Privacy Officer. The Information that should be provided (if known) at this point includes: a. Person making report and to Whom b. When the breach occurred (time and date) c. Description of the breach (type of personal information involved) d. Cause of the breach (if known) otherwise how it was discovered e. Which system(s) if any are affected? f. Which part of DomaCom is involved? g. Whether corrective action has occurred to remedy or ameliorate the breach (or suspected breach) 19 Jun 2018 Page 9

Annexure B Notifiable Data Breach Statement This statement must be submitted to the Office of the Australian Information Commissioner as soon as practicable after becoming aware of the notifiable data breach (and no later than 30 days), in accordance with section 3.5 of the Data Breach Procedure & Response Plan. Part 1 Refers to requirements set out in section 26WK of the Privacy Amendment (Notifiable Data Breaches) Act 2017 Organisation Name Contact Name Contact Phone Number Address Description of the Notifiable Data Breach that DOMACOM has reasonable grounds to believe has happened Kind(s) of personal information involved in the data breach Financial details Government identifiers Contact information Health information Other sensitive information Other Steps DOMACOM recommends that individuals take to reduce the risk that they experience serious harm as a result of this data breach Other entities affected Yes No Contact details: 19 Jun 2018 Page 10

Part 2 Date the breach occurred The information that DOMACOM provides on part two of the form does not need to be included in the notification(s) to affected individuals, and DOMACOM may request that it be held in confidence by the OAIC. Date the breach was discovered Primary cause of the data breach Description of how the data breach occurred Number of individuals whose personal information is involved in the data breach Description of any action DOMACOM has taken to assist individuals whose personal information was involved in the data breach Description of any action DOMACOM has taken to prevent reoccurrence How does DOMACOM intend to notify individuals who are likely to be at risk of serious harm as a result of the data breach? When will this occur? Malicious or criminal attack System fault Human error List any other data protection authorities, law enforcement bodies or regulatory bodies that you have reported this data breach to: 19 Jun 2018 Page 11

19 Jun 2018 Page 12

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback