Data Breach Response Plan
Effective Date: 09/06/2018
The purpose of the National Curriculum Services (NCS) Data Breach Response Plan is to set out procedures and lines of authority in the event that NCS experiences a data breach (or suspects that a data breach has occurred). This Plan is intended to enable NCS to contain, assess and respond to data breaches in a timely fashion and to mitigate potential harm to affected individuals.
What is a data breach?
For the purposes of this Plan, a data breach occurs when information held by NCS is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. In this Plan, the terms ‘data’ and ‘information’ are used interchangeably and should be taken to mean both data and information.
A data breach involves information that is ‘personal information’ as this term is defined in the Privacy Act 1988 (Privacy Act) (i.e. information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not, or recorded in a material form or not), it may also constitute a breach of the Privacy Act, depending on whether the circumstances giving rise to the data breach also constitute a breach of one or more of the Australian Privacy Principles (APPs) or a registered APP code.
Data breaches involving personal information likely to cause individuals to be at serious risk of harm must be reported to the affected individual(s) and the Australian Information Commissioner in accordance with the requirements of the Notifiable Data Breaches scheme introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017.
Data breaches may arise from:
- loss or unauthorised access, modification, use or disclosure or other misuse;
- malicious actions, such as theft or ‘hacking';
- internal errors or failure to follow information handling policies that cause accidental loss or disclosure; and
- not adhering to the laws of the states and territories or the Commonwealth of Australia.
Responding to data breaches
When a data breach has occurred or is suspected to have occurred, NCS will initiate the following process. However, it should be noted that there is no single method of responding to a data breach and in some cases the following steps may need to be modified. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
1. NCS experiences data breach or a data breach is suspected: an NCS staff member may discover this, or another party or system may alert an NCS staff member.
When an NCS staff member discovers a known or suspected data breach they should immediately notify the NCS Executive Director or in her absence the NCS Accountant. Complete and provide as much information in the “DATA BREACH ASSESSMENT REPORT” (see attachment A). Include the time and date the known or suspected breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.
2. Any immediate steps available to contain the breach must be identified and implemented in discussion with the Executive Director or in her absence the NCS Accountant. Reducing the scale and impact of a data breach can prevent the need for notification to the Office of the Australian Information Commissioner (OAIC). All known or suspected data breaches must be notified internally to the NCS Executive Director or in her absence the NCS Accountant.
Assessment of the breach
3. Not all data breaches are notifiable. If, after an initial investigation, the Executive Director or in her absence the NCS Accountant, suspects a notifiable data breach may have occurred, a reasonable and expeditious assessment must be undertaken to determine if the data breach is likely to result in serious harm to any individual affected.
4. The Executive Director or in her absence the NCS Accountant, will seek information to assess the suspected breach. In assessing a suspected breach, the Executive Director or in her absence the NCS Accountant, may require assistance and information from other areas of the entity depending on the circumstances. For example, a suspected system breach would be investigated by our IT support company.
5. There will then be an evaluation of the scope and possible impact of the breach. The Executive Director or in her absence the NCS Accountant, will assess if a breach is likely to be notifiable and ensure appropriate actions including reporting to the Office of the Australian Information Commissioner (OAIC). An assessment of a known or suspected breach must be conducted expeditiously and where possible should be completed within 30 days.
6. In all cases the assessment will identify what actions must be taken. These will be documented and acted upon as soon as possible.
7. There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
8. There are four key steps to consider when responding to a breach or suspected breach.
STEP 1: Contain the breach and do a preliminary assessment
STEP 2: Evaluate the risks associated with the breach
STEP 3: Notification to OAIC and affected individuals
STEP 4: Prevent future breaches
A notifiable breach
9. A breach that is assessed as likely to result in serious harm to individuals whose personal information is involved is a notifiable data breach. Such data breaches must be notified to the affected individuals and the Office of the Australian Information Commissioner (OAIC). Notice must include information about the breach and the steps taken in response to the breach.
10. If the company has responded quickly to the breach, and as a result of this action the data breach is not likely to result in serious harm, there is no need to notify individuals or the Office of the Australian Information Commissioner (OAIC). However NCS may decide to advise/tell the affected individuals about the incident if considered by NCS to be appropriate.
11. Assessment of the risk of serious harm will be considered by:
a. the likelihood of the harm occurring and;
b. the consequences of the harm.
Some of the factors that should be considered are:
The type of personal information involved in the data breach
Some kinds of personal information are more sensitive than others and could lead to serious ramifications for individuals if accessed. Information about a person’s health, documents commonly used for identity fraud (e.g. personal address, mobile number) or financial information are examples of information that could be misused if the information falls into the wrong hands.
Circumstances of the data breach
The scale and size of the breach may be relevant in determining the likelihood of serious harm. The disclosure of information relating to a large number of individuals would normally lead to an overall increased risk of at least some of those people experiencing harm. The length of time that the information has been accessible is also relevant.
Consideration must be given to who may have gained unauthorised access to information, and what their intention was (if any) in obtaining such access. It may be that there was a specific intention to use the information in a negative or malicious way.
Nature of possible harm
Consider the broad range of potential harm that could follow from a data breach including:
12. Notification to the OAIC and internally within NCS is the responsibility of the Executive Director or in her absence the NCS Accountant.
13. The Executive Director or nominated NCS Staff member in the area in which the breach occurred, would notify individuals after the Executive Director or in her absence the NCS Accountant, agrees to the action.
14. Notifications will follow the format identified in the data breach notification by the OAIC.
15. A response team will be formed for a serious breach. This may include the appropriate NCS staff, IT support company and/or legal firm.
16. Documentation will be stored with the NCS Accountant for each suspected breach.
NATIONAL CURRICULUM SERVICES (NCS)
DATA BREACH ASSESSMENT REPORT
This template is primarily designed to meet the requirements of assessment of data breaches of personal information as defined by the Privacy Act. A data breach involving other kinds of information may require a different approach.
Under the Privacy Act, NCS must notify affected individuals and prepare a statement for the Information Commissioner if the data breach is likely to result in serious harm to any of the individuals whose information was involved. The purpose of this Report is to:
- enable NCS to document its assessment of a data breach;
- inform the decision of whether to notify affected individuals and/or the Information Commissioner; and
- inform NCS’s review of the data breach and the taking of actions to prevent future breaches. If possible, assessment must be completed expeditiously and within 30 days.
Description of the breach
[Provide a short description of the breach, including the date and time the breach was discovered and the duration and location of the breach.]
Type of information involved
[Insert the type of information involved.]
How the breach was discovered
[Insert details about how the breach was discovered, and by whom.]
Cause and extent of breach
[Insert details about the cause and the extent of the breach.]
List of affected individuals
[List the affected individuals, or describe the class of individuals who are or may be affected by the data breach.]
Is the breach likely to result in serious harm to any of the individuals to whom the harm relates?
[Evaluate whether the breach is likely to result in serious harm to any of the individuals to whom the information relates, having regard to:
[Insert details of the steps NCS has taken to reduce any potential
harm to individuals, e.g. by recovering lost information before it is
accessed or changing access controls on compromised systems.
Commissioner or to notify affected individuals.]
Is or will the action result in making serious harm no longer likely?
[State whether the action will result in making serious harm no longer likely. If serious harm is no longer likely, NCS is not required to prepare a statement to the Information Commissioner or to notify affected individuals.]
Who will be notified of the breach?
Select from the following options:
NCS has determined that the data breach is likely to result in serious harm to individuals and therefore:
NCS has determined that notification of the data breach is not required because it is not likely to result in a serious risk of harm to any individuals.
[Include any recommendations on actions that could be undertaken
to contain the breach, remediate the breach or prevent future breaches of a similar nature – these recommendations will feed into NCS’s comprehensive review of the data breach.]
Names of response team members
[Insert the names and roles of response team members.]