SIRA Data Breach Response Policy
Introduction
The SIRA data breach policy outlines how SIRA will fulfill its obligations under NSW privacy laws to notify an individual of a breach of their personal or health information when it is unlawfully accessed or disclosed. Effective breach management underpins this obligation and assists SIRA to avoid or reduce potential harm to affected individuals, take immediate action to contain a breach as well as prevent future breach occurrences.
With this in mind, the aim of this policy is to:
- ensure SIRA employees understand and are aware of how data breaches are to be managed and responded to in accordance with privacy legislation.
- establish a framework for the reporting and recording of data breaches as required.
- ensure SIRA meets its obligations under the new Mandatory Notification of Data Breach (MNDB) requirements contained in the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
The policy takes into consideration how SIRA will respond to eligible data breaches in line with the MNDB Scheme, established under the PPIP Act.
Scope
This policy applies to all staff and contractors working for and on behalf of SIRA. It applies in the event of a suspected, eligible, or apparent privacy or data breach.
Partner and Third-Party Contractors
All SIRA’s third party partners and contractors must abide by the obligations of the relevant privacy laws and must handle personal information in line with the PPIP Act, and any associated governing frameworks in place within SIRA, such as this this policy.
Definitions
HRIP Act – Health Records and Information Privacy Act 2002
PPIP Act – Privacy and Personal Information Protection Act 1998
Personal information – Defined in section 4 of the PPIP Act as ‘information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”.
Health information – Defined in section 6 of the HRIP Act as ‘personal information that is information or an opinion about the physical or mental health or a disability (at any time) of an individual, an individual's express wishes about the future provision of health services to him or her or a health service provided, or to be provided, to an individual.
Mandatory notification of data breach scheme - as defined in the PPIP Act from 28 November 2023. See the Privacy and Personal Information Protection Amendment Bill 2022.
Legislative Outline
This policy outlines the processes established to contain, assess, manage, and notify an eligible data breach under the MNDB scheme under Part 6 of the PPIP Act.
Notifying individuals affected by a data breach can enable them to take steps to mitigate the consequences of a data breach.
Notifying the Privacy Commissioner allows independent advice, assessment, and investigation of the breach.
What is a data breach?
A data breach occurs when:
- there is unauthorised access to, or unauthorised disclosure of, personal information held by
SIRA.
A data breach can occur because of a technical problem, human error, inadequate policies and training, a misunderstanding of the law or a deliberate act. It is important to remember that a data breach can involve information that is held as both digital and hard copy records in any format and
includes voice records.
Eligible Data Breach
For the purposes of the Act, an eligible data breach occurs when:
- There is unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency or there is a loss of personal information held by a public sector agency in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information, and
- A reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates.
A data breach is “eligible” if it is likely to result in serious harm to any of the individuals to whom the information relates. Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person.
Responding to a Data Breach
Report and Contain
All suspected or apparent data breaches should be reported to the staff member’s Director immediately and steps taken to contain the breach. Records should be kept by the staff member who suspects the breach, and the staff member should report the incident to the SIRA senior advisor, privacy. Records are to be kept by the staff member on how the containment and response has taken place.
Assess the risk
The Director will make an initial assessment of whether the conduct meets the definition of a data breach and where it does, the steps taken to contain it, the impact, whether the breach is minor or significant, suggested remediation steps and whether the breach fits the requirement for mandatory reporting as an eligible data breach. This report will be sent to the Executive Director. Next steps following meeting of the breach thresholds should be informed by the IPC’s Data Breach Guide for Agencies1, which details data breach log assessment criteria and related MNDB provisions.
Notify the Privacy Commissioner
If an eligible data breach is assessed and determined under section 59(M) (1) of the Privacy and Personal Information Act 19982, the head of the public sector agency must, in the approved form, immediately notify the NSW Privacy Commissioner of the eligible data breach.
Review the Breach
SIRA’s Data Breach Response procedure sets out how to finalise the breach response, including the review of the breach, recommended actions for implementation and review the response from the regulatory authority.
Data Breach Response Procedure
The Data Breach Response Procedure sets out the roles and responsibilities for managing the response to a data breach. In assessing the seriousness of a breach, SIRA will consider:
- the type of data held.
- whether personal or health information was disclosed.
- the number of individuals affected.
- the risk of harm that could be caused to individuals.
Roles and Responsibilities
Head of the agency or designated delegate
It is the responsibility of the head of the agency, or an authorised delegate or assessor within SIRA to determine if a breach is an eligible data breach and if so, notify the Privacy Commissioner and the affected individuals of the identified breach.
All SIRA employees
All employees within SIRA are responsible for the ongoing identification and reporting of suspected data breaches to their direct line management team and the SIRA privacy team.
Directors
Business area Directors are responsible for identifying and implementing the processes and controls necessary to contain the incident. These members should also undertake the remediation if and where possible. The SIRA Senior Advisor, Privacy will be notified, and advice sought if required.
Executive Director
The Executive Director is also notified as part of the response to a data breach and the Director of the affected business area.
SIRA Senior Advisor, Privacy
The SIRA Senior Advisor, Privacy is the specialised point of contact to seek advice and guidance on all privacy related matters. In the event of an identified breach (or seeking assistance to determine if a breach has occurred), the SIRA Privacy Officer assists to oversee the breach response and provides this specialised guidance and support to the affected team who have reported the incident.
Breach Management Team
A Breach Management Team is a working group of experts within SIRA, best placed to investigate and respond to a complex or higher risk Data Breach Incident. It may also include specialised representatives from other departments and agencies across the Department of Customer Service and other partner agencies as required.
When SIRA may not notify
SIRA may not notify individuals or the Privacy Commissioner in certain circumstances. These exemptions are applied within the Privacy and Personal Information Protection Act 1998 and include:
- where multiple agencies are involved in an eligible breach and one of those agencies has provided notification.
- here an eligible data breach would prejudice an ongoing investigation and certain proceedings.
- where SIRA has taken action before the data breach results in harm or loss to individuals.
- where notification results in serious harm to an individual.
- where compliance would be inconsistent with secrecy provisions of other legislation.
- where compliance would result in serious risk of harm to health and safety.
- where compliance would worsen the agency’s cyber security or lead to further data breaches.
Data Breach Register
SIRA maintains an internal register for data breaches, including eligible data breaches.
For eligible data breaches where the agency is unable or it is not practicable to notify individuals, SIRA will publish a notification on its website. This external public register will not contain personal information.
Post Breach Review
A post-breach review is undertaken by SIRA for an eligible data breach and may include the following:
- investigating the cause of the breach.
- implementing a strategy to identify and address any weaknesses in data handling that contributed to the breach.
- updating the Data Breach Response Procedure if necessary.
- making appropriate changes to policies and procedures if necessary.
- revising staff training practices if necessary.
- the option of an audit to ensure necessary outcomes are affected.
- consideration of whether the response team needs other expertise.
- the preservation of evidence to determine the cause of the breach or allowing the Privacy Commissioner to take appropriate corrective action.
- a communications or media strategy to manage public expectations and media.
Ongoing Review
The policy will be reviewed and amended to ensure ongoing compliance and legislative obligations are met by SIRA, meeting the requirements under privacy law and give clear guidance to any changes in policy, procedures and other important documents and considerations.
This document is for publication under SIRA’s obligations to meet the requirements of the Mandatory Notification Scheme.
Document change control
| Version | Date | Author | Summary of changes |
|---|---|---|---|
| 1.0 | 05/10/2023 | Senior Advisor, Privacy | Draft of SIRA's DBRP |
Sources of authority
This plan supports the Privacy and Personal Information Act 1998, and the implementation of the obligations stated within the Privacy and Personal Information Protection Amendment Bill 2022.
Related policies, procedures, and forms
Related policies
Other Important Reference Documents
- Information & Privacy Commission’s Data Breach Guide for Agencies – Guide
- Information & Privacy Commission’s IPPs factsheet for agencies – IPPs factsheet.
- Information & Privacy Commission’s HPPs factsheet – HPPs factsheet.
- Information & Privacy Commission’s Mandatory Notification of Data Breach Scheme
- Privacy and Personal Information Protection Act 1998 – PPIPA 1998
- Privacy and Personal Information Protection Amendment Bill 2022 – PPIPA Bill 2022
1 At present this guide refers to voluntary notifications but will be updated with the requirements of the mandatory notification data breach requirements.
2 The head of the public sector agency must, in the approved form, immediately notify the NSW Privacy Commissioner of the eligible data breach.