(1) This Procedure is governed by the Privacy Policy. (2) ACU is committed to managing personal information in accordance with the Privacy Act 1988 (Cth) and the Privacy Policy. (3) This document sets out the processes to be followed by ACU staff in the event that ACU experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information. (4) The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (the NDB Act) established a Notifiable Data Breaches scheme requiring organisations covered by the Privacy Act 1988 (Cth) to notify any individuals likely to be at risk of serious harm by a data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified. (5) Accordingly, ACU needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm and whether it constitutes a Notifiable Data Breach. (6) Adherence to this Procedure and Response Plan will ensure that ACU can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected. (7) This Procedure and Response Plan has been informed by: (8) This document should be read in conjunction with the Privacy Policy. (9) Where a privacy data breach is known or suspected to have occurred any ACU staff member who becomes aware of this must, within 24 hours, alert a member of the Executive in the first instance. (10) The Information that should be provided (if known) at this point includes: (11) The Data Breach Process Form can assist in documenting the required information. (12) Once notified of the information above, the member of the Executive must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The Privacy Coordinator should be contacted for advice. (13) The key criteria for determining whether a privacy data breach has occurred include: (14) For the purposes of this assessment the following terms are defined in Section 9 of the Privacy Policy: personal information, sensitive information, unauthorised access, unauthorised disclosure and loss. (15) The criteria for determining the severity of a data breach include: (16) With respect to 15(e) above, serious harm could include physical, physiological, emotional, economic / financial or harm to reputation and is defined in Section 9 of the Privacy Policy and section 26WG of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth). (17) Having considered the matters in clauses (13) to (16), the member of the Executive must notify the Privacy Officer within 24 hours of being alerted. (18) On receipt of the communication by the relevant member of the Executive under clauses (13) to (16), the Privacy Officer will take a preliminary view as to whether the breach (or suspected breach) may constitute a notifiable data breach. Accordingly, the Privacy Officer will issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Data Breach Response Team (Response Team). This will depend on the nature and severity of the breach. (19) Where the Privacy Officer instructs that the data breach is to be managed at the local level, the relevant member of the Executive must: (20) The Privacy Officer will be provided with a copy of the report and will sign-off that no further action is required. (21) The report will be logged by the Privacy Coordinator. (22) Where the Privacy Officer instructs that the data breach be escalated to the Response team, the Privacy Officer will convene the Response Team and notify the Vice-Chancellor and President. (23) The Response team will consist of: (24) There is no single method of responding to a data breach and each incident must be dealt with on a case by case basis by assessing the circumstances and associated risks to inform the appropriate course of action. (25) The following steps may be undertaken by the Response Team (as appropriate): (26) The Response Team must undertake its assessment within 48 hours of being convened. (27) The Privacy Officer will provide periodic updates to the Vice-Chancellor and President as deemed appropriate. (28) Having regard to the Response team’s recommendation in clauses (29) to (31) above, the Privacy Officer will determine whether there are reasonable grounds to suspect that a notifiable data breach has occurred. (29) If there are reasonable grounds, the Privacy Officer must prepare a prescribed statement and provide a copy to the OAIC as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach). (30) The Notifiable Data Breach Statement should be used as a template for the statement. (31) If practicable, ACU must also notify each individual to whom the relevant personal information relates. Where impracticable, ACU must take reasonable steps to publicise the statement (including publishing on the website). (32) The prescribed statement will be logged by the Privacy Coordinator. (33) Once the matters referred to in clauses (24) to (32) have been dealt with, the Response Team should turn attention to the following: (34) In line with the Policy Development and Review Policy, this Procedure is scheduled for review every five years or more frequently if appropriate. (35) Unless otherwise indicated, this policy will still apply beyond the review date. (36) Contact for all matters related to privacy, including complaints about breaches of privacy, should be directed as follows: (37) For related legislation, policies, procedures and guidelines and any supporting resources, please refer to the Associated Information tab.Data Breach Procedure and Response Plan
Section 1 - Policy
Section 2 - Introduction
Section 3 - Process Where a Breach Occurs or is Suspected
Alert
Assess and Determine the Potential Impact
Criteria for Determining Whether a Privacy Data Breach has Occurred
Criteria for Determining Severity
Privacy Officer to Issue Pre-emptive Instructions
Data Breach Managed at the Directorate / Faculty / Institute Level
Data Breach Managed by the Response Team
Primary Role of the Response Team
Notification
Secondary Role of the Response Team
Top of PageSection 4 - Updates to this Procedure
Section 5 - Revisions Made to this Procedure
Section 6 - Contact Details
Section 7 - Associated Information
View Document
This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.
Note: the term ‘member of the Executive’ is defined in the Delegations of Authority Policy and Register.