View Current

Personal Data Breach Procedure

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) Charles Sturt University (the University) is committed to protecting the confidentiality, integrity and availability of personal information that it collects and uses to support business operations and services to staff and students.

(2) The purpose of this Procedure is to:

  1. outline responsibilities of Charles Sturt University staff and students in response to suspected or identified breaches of personal information held by Charles Sturt University;
  2. determine if a personal data breach occurring after 22nd February 2018 constitutes an eligible data breach that must be reported to the Office of the Australian Information Commissioner (OAIC) as per compliance with the Privacy Act 1988 amendments; and
  3. outline the steps and responsibilities in reporting eligible data breaches to the Office of the Australian Information Commissioner, described as the 'Notifiable Data Breaches Scheme'.

(3) This Procedure is a key component of the University's Data Breach Response Plan. The Data Breach Response Plan outlines how the University will respond to and initiate improvements in the University's response to personal data breaches.

Scope

(4) This Procedure applies to all University staff, students and other relevant parties including visitors, contractors and associated bodies who own, manage, access or use the University's Information and Communications Technology (ICT) services.

(5) This includes all:

  1. ICT systems and data attached to University computer or telephone networks;
  2. University systems;
  3. communications sent to or from the University; and
  4. data owned by the University, either internally or on systems external to the CSU network.

References

(6) This Procedure should be read in conjunction with:

  1. Privacy Act 1988 (mandatory data breach notification amendment);
  2. Privacy Amendment (Notifiable Data Breaches) Act 2017;
  3. Information and Communications Technology Security Policy;
  4. Privacy and Personal Information Protection Act 1998 No 133;
  5. Privacy Management Plan;
  6. Computing and Communications Facilities Use Policy;
  7. Code of Conduct; and 
  8. Student Charter.
Top of Page

Section 2 - Glossary

(7) For the purpose of this Procedure:

  1. Application, Data and Information Custodians – nominated staff overseeing the management of a specified application, data or information set with regards to ensuring availability, integrity, and protection according to relevant University business requirements, policy and legislative compliance.
  2. Critical Incident Response Group  – as determined by the Emergency Planning Committee to plan and organise responses to Critical Incidents in accordance with this Procedure.
  3. CSU Privacy Officer – oversees the maintenance of the University’s Privacy Management Plan, information sessions and advice to support the University in meeting privacy legislation obligations across the various areas of organisational activity. 
  4. Data Breach – means personal information or data held by the University is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Data breaches can be accidental or intentional in nature.
  5. Data Breach Response Team – carry out timely actions to reduce the potential impact of a data breach. 
  6. Data Breach Response Process – outlines the actions to be taken in the case of a suspected or identified data breach. Facilitates a swift response and ensures any legal obligations are met following a data breach.
  7. Data Breach Response Plan – sets out the components, roles and responsibilities for managing the University’s appropriate response to a data breach.
  8. Data Security and Governance Committee (DSGC) – a subcommittee of the Technology Governance Committee (TGC). The DSGC has oversight of University information and communications technology security and for ensuring the means by which data assets are defined, controlled, used and communicated for the benefit of the University. Membership represents a cross section of the University community.
  9. Eligible Data Breach – means:
    1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an organisation holds;
    2. it is likely to result in serious harm to one or more individuals; and
    3. the organisation has not been able to prevent the likely risk of serious harm with remedial action.
  10. Information and Communications Technology (ICT) - includes:
    1. computers and peripherals (e.g. printers);
    2. communications infrastructure;
    3. computing facilities and utilities;
    4. information storage media; and
    5. systems and software.
  11. Information Security - encompasses:
    1. ICT security policies;
    2. organisation of information security;
    3. ICT asset management;
    4. information security compliance obligations;
    5. information security components of human resources management;
    6. ICT communications and operations management;
    7. Information security components of business continuity management;
    8. ICT services access control;
    9. ICT security incident management;
    10. ICT systems acquisition, development and maintenance; and
    11. ICT asset physical and environmental security.
  12. IT Security Team – comprised of specialised Division of Information Technology resources and responsible for the confidentiality, integrity and availability of the University’s information assets.
  13. Loss – means the accidental or inadvertent loss of personal information held by an organisation, in circumstances where it is likely to result in unauthorised access or disclosure. 
  14. Notifiable Data Breach – a personal data breach that is determined as a real risk of serious harm to the affected individual/s.  A notifiable data breach requires at a minimum, formal notification to the OAIC and affected individuals. 
  15. Notifiable Data Breaches Scheme – requires regulated entities to notify impacted individuals and the Office of the Australian Information Commissioner about eligible data breaches.
  16. Other Incident Management Process Owners – staff who have the responsibility to oversee the process relating to other existing organisational incident management processes in different areas of the University (such as student residences, campus security).
  17. Personal Information – means electronic and physical copies of personal information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Examples include:
    1. email account or application data;
    2. data stored on physical devices such as phone, laptop, iPad, USB storage, building; and
    3. paper based copies of information or data.
  18. Preliminary Data Breach Assessment – an initial assessment completed to determine quickly if there is a high level of risk of serious harm to affected individuals given the nature and scope of the personal data breach.  
    Serious Harm – means serious harm to an individual and may include:
    1. identity theft;
    2. financial loss;
    3. threat to physical safety;
    4. threat to emotional wellbeing;
    5. loss of business or employment opportunities;
    6. humiliation;
    7. damage to reputation;
    8. bullying; or
    9. marginalisation
  19. Unauthorised Access – means personal information that an organisation holds is accessed by someone who is not permitted to have access. 
  20. Unauthorised Disclosure – occurs when an organisation makes personal information accessible or visible to others outside the organisation, and releases that information from its effective control in a way that is not permitted by the Privacy Act 1988
Top of Page

Section 3 - Policy

(8) Nil.

Top of Page

Section 4 - Procedure

Responsibilities

(9) Charles Sturt University staff are responsible for:

  1. reporting via the IT Service Desk as soon as possible any identified, suspected or possible unauthorised disclosure of personal information held by the University; and
  2. protecting personal information held by the University against unauthorised disclosure.

(10) Charles Sturt University students are responsible for:

  1. reporting via Student Central as soon as possible any identified, suspected or possible unauthorised disclosure of personal information held by the University; and
  2. maintaining appropriate data protection of their personal data.

(11) IT Service Desk is responsible for:

  1. registering reported incidents;
  2. providing specialised advice (where possible) to the individual reporting the incident on options for preventing further damage; and 
  3. escalating the incident within the IT Service Management Platform to IT Security Team.

(12) Student Central is responsible for:

  1. registering reported incidents;
  2. providing specialised advice (where possible) to the individual reporting the incident on options for preventing further damage; and 
  3. escalating the incident within the IT Service Management Platform to IT Security Team.

(13) The IT Security Team is responsible for:

  1. assessing assigned security breaches; and 
  2. reporting breaches to the Data Breach Response Team.

(14) Data Breach Response Team are responsible for:

  1. actioning the data breach response process within specified time constraints;
  2. maintaining adequate documentation of suspected data breaches reported and steps taken to deliver on compliance and University reporting requirements;
  3. preparing and submission to the CSU Privacy Officer of Notifiable Data Breach Statement - form where applicable;
  4. checking personal data breach incidents to see if it also fits the critical incident classification; and
  5. notifying the Critical Incident Response Group of any suspected or identified critical incident.

(15) CSU Privacy Officer is responsible for:

  1. overseeing the University's compliance to Notifiable Data Breaches Scheme;
  2. managing the University's Data Breach Response Plan (includes Data Breach Response Procedure);
  3. chairing the Data Breach Response Team meetings;
  4. approving the prepared Notifiable Data Breach Statement - form (in compliance with legislation);
  5. lodging the Notifiable Data Breach Statement - form to OAIC;
  6. reporting to the Vice-Chancellor on notifiable data breach compliance and OAIC notifications; and 
  7. approving any additional information about a University data breach that is to be provided to impacted individuals or other third parties.  This could be in addition, or separate to a Notifiable Data Breach Statement - form.

(16) Executive Director, Division of Information Technology is responsible for:

  1. contributing as a member of the Data Breach Response Team; and
  2. supporting the availability of technical expertise to undertake data breach response and remedial actions.

(17) Data Security and Governance Committee is responsible for:

  1. promoting the adoption of information management and Information and Communications Technology (ICT) security controls to ensure integrity, availability and confidentiality of personal information; and 
  2. providing guidance on improvements to protect personal information from unauthorised disclosure.

(18) Application, Data and Information Custodians are responsible for the personal information and data within their area of responsibility for:

  1. reporting via the IT Service Desk as soon as possible any identified, suspected or possible unauthorised disclosure of personal information held by the University; and
  2. actively managing and maintaining protection against unauthorised disclosure. This includes aspects such as:
    1. purpose, capture, use, movement, storage and retention;
    2. access controls, both electronic and physical records;
    3. staff training (including manual handling); and
    4. monitoring for unauthorised disclosure.

(19) The Emergency Planning Committee and Critical Incident Response Group are responsible for notifying the Data Breach Response Team via email of any suspected or identified personal data breaches.

Part A - Reporting a Data Breach

(20) All University staff must report any suspected or known breaches of personal information held by the University to the IT Service Desk as soon as possible.

(21) All University students must report any suspected or known breaches of personal information held by the University to Student Central as soon as possible.

Part B - Containing a Data Breach

(22) The suspected or known breach must be promptly contained to minimise scope and impact of breach.

(23) The IT Service Desk will:

  1. record the incident;
  2. where possible, contain the data breach; and  
  3. escalate the incident to the IT Security Team.

Part C - Preliminary Data Breach Assessment

(24) The IT Security Team will complete an preliminary assessment to determine the criticality and eligibility of the incident as soon as possible.

(25) On completion of preliminary assessment:

  1. if it is determined that there has been an eligible data breach, the IT Security Team must notify the Data Breach Response Team with the results including the:
    1. likelihood of causing serious harm to individuals;
    2. number of individuals impacted; and
    3. nature and scope of the data breach.
  2. if it is determined that there has not been an eligible data breach, IT Security Team must:
    1. consider how the data breach occurred;
    2. recommend enhanced personal information security measures;
    3. seek endorsement of recommendations from the Data Breach Response Team; and
  3. if it is unable to be determined that there has been an eligible data breach, IT Security Team must:
    1. complete a more detailed risk assessment within a 30 day period in order to determine if it is an eligible data breach; and 
    2. on completion of the detailed risk assessment, if it is determined that there
      1. has been an eligible data breach, see clause 25(a); and 
      2. has not been an eligible data breach, see clause 25(b).

Part D - Reporting a Data Breach

(26) On receipt of the data breach assessment report, the Data Breach Response Team will assess and determine if it is a notifiable breach.

(27) If it is determined that it is a notifiable breach, the Data Breach Response Team will:

  1. complete a list of individuals impacted;
  2. consider if there is any additional information required to support the:
    1. data custodian;
    2. impacted individuals; and 
    3. the completion of the Notifiable Data Breach Statement - form.
  3. prepare a Notifiable Data Breach Statement - form;
  4. submit the Notifiable Data Breach Statement - form to the CSU Privacy Officer;
Note: on receipt of the prepared Notifiable Data Breach Statement - form, the CSU Privacy Officer approves and submits the Notifiable Data Breach Statement - form along with any approved additional information to Office of the Australian Information Commissioner;
  1. notify and advise impacted individuals, relevant University areas and the Vice-Chancellor's Office that:
    1. possible vulnerabilities have been identified; and 
    2. Notifiable Data Breach Statement - form has been lodged.
  2. advise remedial actions to be undertaken by relevant stakeholders;
  3. monitor the delivery of remedial actions; and
  4. capture and report on success or remedial actions undertaken by relevant stakeholders.

(28) If it is determined that it is not a notifiable breach, the Data Breach Response Team will:

  1. consider how the data breach occurred;
  2. recommend enhanced personal information security measures; and 
  3. communicate and provide recommendations to the data custodian and relevant stakeholders.
Top of Page

Section 5 - Guidelines

(29) Nil.