View Current

Information Technology Procedure - Personal Data Breach

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) This procedure supports the Information Technology Policy and:

  1. outlines responsibilities of staff and students in response to suspected or identified breaches of personal information held by Charles Sturt University (the University)
  2. determines if a personal data breach constitutes an eligible data breach that must be reported to the Office of the Australian Information Commissioner (OAIC) in compliance with the Privacy Act 1988
  3. outlines the steps and responsibilities in reporting eligible data breaches to the OAIC, described as the Notifiable Data Breaches scheme.

(2) This procedure is a key component of the University's data breach response plan. The data breach response plan outlines how the University will respond to, and initiate improvements in the University's response to, personal data breaches.

Scope

(3) This procedure applies to all University staff, students and other relevant parties including visitors, contractors and associated bodies who own, manage, access or use the University's information and communications technology (ICT) services.

(4) This includes all:

  1. ICT systems and data attached to University computer or telephone networks
  2. University systems
  3. communications sent to or from the University
  4. data owned by the University, either internally or on systems external to the University network.
Top of Page

Section 2 - Policy

(5) See the Information Technology Policy

Top of Page

Section 3 - Procedure

Reporting a data breach

(6) All University staff must report any suspected or known breaches of personal information held by the University to the IT Service Desk as soon as possible.

(7) All University students must report any suspected or known breaches of personal information held by the University to Student Central as soon as possible.

Containing a data breach

(8) The suspected or known breach must be promptly contained to minimise scope and impact of breach.

(9) The IT Service Desk will:

  1. record the incident
  2. where possible, contain the data breach
  3. escalate the incident to the ICT Security Team.

Preliminary data breach assessment

(10) The ICT Security Team will complete a preliminary assessment to determine the criticality and eligibility of the incident as soon as possible.

(11) On completion of the preliminary assessment:

  1. if it is determined that there has been an eligible data breach, the ICT Security Team must notify the Data Breach Response Team with the results including the:
    1. likelihood of causing serious harm to individuals
    2. number of individuals impacted
    3. nature and scope of the data breach.
  2. if it is determined that there has not been an eligible data breach, ICT Security Team must:
    1. consider how the data breach occurred
    2. recommend enhanced personal information security measures
    3. seek endorsement of recommendations from the Data Breach Response Team
  3. if it is unable to be determined that there has been an eligible data breach, ICT Security Team must:
    1. complete a more detailed risk assessment within a 30 day period in order to determine if it is an eligible data breach
    2. on completion of the detailed risk assessment, if it is determined that there
      1. has been an eligible data breach, see clause 11a.
      2. has not been an eligible data breach, see clause 11b.

Notifiable data breaches

(12) On receipt of the data breach assessment report, the Data Breach Response Team will assess and determine if it is a notifiable data breach.

(13) If it is determined that it is a notifiable data breach, the Data Breach Response Team will:

  1. complete a list of individuals impacted
  2. consider if there is any additional information required to support the:
    1. data custodian
    2. impacted individuals
    3. completion of the Notifiable Data Breach Statement - form
  3. prepare a Notifiable Data Breach Statement - form
  4. submit the Notifiable Data Breach Statement - form to the University's privacy officer (who will approve and submit to the OAIC, along with any approved additional information)
  5. notify and advise impacted individuals, relevant University areas and the Office of the Vice-Chancellor that:
    1. possible vulnerabilities have been identified
    2. Notifiable Data Breach Statement - form has been lodged
  6. advise remedial actions to be undertaken by relevant stakeholders
  7. monitor the delivery of remedial actions
  8. capture and report on success of remedial actions undertaken by relevant stakeholders.

(14) If it is determined that it is not a notifiable data breach, the Data Breach Response Team will:

  1. consider how the data breach occurred
  2. recommend enhanced personal information security measures
  3. communicate and provide recommendations to the data custodian and relevant stakeholders.

Responsibilities

(15) Charles Sturt University staff are responsible for:

  1. reporting via the IT Service Desk as soon as possible any identified, suspected or possible unauthorised disclosure of personal information held by the University
  2. protecting personal information held by the University against unauthorised disclosure.

(16) Charles Sturt University students are responsible for:

  1. reporting via Student Central as soon as possible any identified, suspected or possible unauthorised disclosure of personal information held by the Universitymaintaining appropriate data protection of their personal data.

(17) IT Service Desk is responsible for:

  1. registering reported incidents
  2. providing specialised advice (where possible) to the individual reporting the incident on options for preventing further damage
  3. escalating the incident within the IT Service Management Platform to ICT Security Team.

(18) Student Central is responsible for:

  1. registering reported incidents
  2. providing specialised advice (where possible) to the individual reporting the incident on options for preventing further damage
  3. escalating the incident within the IT Service Management Platform to ICT Security Team.

(19) ICT Security Team is responsible for:

  1. assessing assigned security breaches
  2. reporting breaches to the Data Breach Response Team.

(20) Data Breach Response Team are responsible for:

  1. actioning the data breach response process within specified time constraints
  2. maintaining adequate documentation of suspected data breaches reported and steps taken to deliver on compliance and University reporting requirements
  3. preparing and submitting to the privacy officer the Notifiable Data Breach Statement - form where applicable
  4. checking personal data breach incidents to see if it also fits the critical incident classification
  5. notifying the Crisis Management Team of any suspected or identified critical incident.

(21) The privacy officer is responsible for:

  1. overseeing the University's compliance to Notifiable Data Breaches scheme
  2. managing the University's data breach response plan
  3. chairing the Data Breach Response Team meetings
  4. approving the prepared Notifiable Data Breach Statement - form
  5. lodging the Notifiable Data Breach Statement - form to OAIC
  6. reporting to the Vice-Chancellor on notifiable data breach compliance and OAIC notifications
  7. approving any additional information about a University data breach that is to be provided to impacted individuals or other third parties. This could be in addition, or separate to a Notifiable Data Breach Statement - form.

(22) Chief Information and Digital Officer is responsible for:

  1. contributing as a member of the Data Breach Response Team
  2. supporting the availability of technical expertise to undertake data breach response and remedial actions.

(23) Data Security and Governance Committee is responsible for:

  1. promoting the adoption of information management and ICT security controls to ensure integrity, availability and confidentiality of personal information 
  2. providing guidance on improvements to protect personal information from unauthorised disclosure.

(24) Application, data and information custodians are, for the personal information and data within their area of responsibility, responsible for:

  1. reporting via the IT Service Desk as soon as possible any identified, suspected or possible unauthorised disclosure of personal information held by the University
  2. actively managing and maintaining protection against unauthorised disclosure. This includes aspects such as:
    1. capture, use, movement, storage and retention of information
    2. access controls for both electronic and physical records
    3. staff training (including manual handling)
    4. monitoring for unauthorised disclosure.

(25) The Crisis Management Team and Critical Incident Management Team are responsible for notifying the Data Breach Response Team of any suspected or identified personal data breaches.

Top of Page

Section 4 - Guidelines

(26) Nil.

Top of Page

Section 5 - Glossary

(27) This procedure uses terms defined in the Information Technology Policy, as well as the following:

  1. Application, data and information custodians – means the nominated staff overseeing the management of a specified application, data or information set with regards to ensuring availability, integrity, and protection according to relevant University business requirements, policy and legislative compliance.
  2. Data breach response plan – means the University's plan that sets out the components, roles and responsibilities for managing the University’s appropriate response to a data breach.
  3. Data breach response process – means the actions to be taken in the case of a suspected or identified data breach. Facilitates a swift response and ensures any legal obligations are met following a data breach.
  4. Data Security and Governance Committee – a subcommittee of the Technology Governance Committee.
  5. Eligible data breach – means:
    1. unauthorised access to or disclosure of, or loss of, personal information held by the University, and
    2. this is likely to result in serious harm to one or more individuals, and
    3. the organisation or agency has been unable to prevent the likely risk of serious harm with remedial action.
  6. Information security - encompasses:
    1. ICT security policies
    2. organisation of information security
    3. ICT asset management
    4. information security compliance obligations
    5. information security components of human resources management
    6. ICT communications and operations management
    7. information security components of business continuity management
    8. ICT services access control
    9. ICT security incident management
    10. ICT systems acquisition, development and maintenance
    11. ICT asset physical and environmental security.
  7. ICT Security Team – comprised of specialised Division of Information Technology resources who are responsible for the confidentiality, integrity and availability of the University’s information assets.
  8. Notifiable data breach – means a personal data breach that is determined as having a real risk of serious harm to the affected individual(s). A notifiable data breach requires at a minimum, formal notification to the OAIC and affected individuals. 
  9. Notifiable Data Breaches scheme – requires regulated entities to notify impacted individuals and the OAIC about eligible data breaches.
  10. Personal data breach – means personal information or data held by the University is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Data breaches can be accidental or intentional in nature.
  11. Personal information – as defined in the Privacy Management Plan. 
  12. Preliminary data breach assessment – means the initial assessment completed to determine quickly if there is a high level of risk of serious harm to affected individuals given the nature and scope of the personal data breach.
  13. Privacy officer – means the University officer, as stated in the Privacy Management Plan, who oversees the maintenance of the University’s Privacy Management Plan and provides advice and support to the University in meeting privacy legislation obligations. 
  14. Serious harm – means serious harm to an individual and may include:
    1. identity theft
    2. financial loss
    3. threat to physical safety
    4. threat to emotional wellbeing
    5. loss of business or employment opportunities
    6. humiliation
    7. damage to reputation
    8. bullying, or
    9. marginalisation. 
  15. Unauthorised access – means personal information that an organisation holds is accessed by someone who is not permitted to have access. 
  16. Unauthorised disclosure – means an organisation has made personal information accessible or visible to others outside the organisation, and released that information from its effective control in a way that is not permitted by the Privacy Act 1988.