View Current

Privacy Data Breach Response Process

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

What is a Privacy Data Breach?

(1) A privacy data breach is unauthorised access or disclosure of personal information, or loss of personal information. Personal information is information about an identified individual or an individual who is reasonably identifiable.

(2) A privacy data breach may be caused by malicious action (either external or internal), human error, or a failure in information handling or security systems. Examples include:

  1. loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
  2. unauthorised access to personal information by an employee
  3. unauthorised access to personal information by an external party
  4. inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person
  5. disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.

Privacy Data Breach Response Process

(3) The University’s Privacy Data Breach Response Process is comprised of four steps:

  1. Step 1: Report and contain the privacy data breach to prevent any further compromise of personal information.
  2. Step 2: Assess the privacy data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
  3. Step 3: Notify individuals, regulatory bodies such as the NSW Information and Privacy Commissioner (NSW IPC), the Office of the Australian Information Commissioner (OAIC), or others if required. In some circumstances it will be mandatory for the University to notify one or more of these regulatory bodies.
  4. Step 4: Review the incident and consider what actions can be taken to prevent future breaches.

Step 1: Report and Contain 

(4) If a University staff member suspects that a privacy data breach has occurred, the University staff member must immediately:

  1. seek guidance to stop unauthorised practices by resetting passwords, revoking access privileges or remediate system or security weaknesses.
  2. report the suspected data breach to their supervisor and Head of Work Unit. Suspected Health Clinic privacy data breaches, should also be reported to the Health Clinic Manager;
  3. complete the Data Breach Report and provide it to their Head of Work Unit and the Information Privacy Officer at privacy@scu.edu.au; and
  4. where the suspected data breach involves technology-based data, notify Technology Services’ Service Desk.

(5) The Head of Work Unit, in consultation with the Information Privacy Officer (and Technology Services representative where relevant), must take immediate action to limit the breach, remediate harm and preserve evidence.

(6) To identify strategies to contain a privacy data breach, the Head of Work Unit should consider:

  1. How did the privacy data breach occur?
  2. Is the personal information still being accessed or disclosed without authorisation?
  3. Who has access to the personal information?
  4. What can be done to secure the information, or stop the unauthorised access or disclosure, and reduce the risk of harm to affected individuals?

(7) During this preliminary stage, be careful not to destroy evidence that may be valuable in identifying the cause of the breach, or that would enable the University to address all risks posed to affected individuals or the University.

Step 2: Assess 

Preliminary assessment by the Information Privacy Officer

(8) The Information Privacy Officer must review the Privacy Data Breach Report and undertake any preliminary investigations to confirm the report or seek any clarification or additional detail as necessary.

(9) Based on their review of the Privacy Data Breach Report and the preliminary investigations, the Information Privacy Officer must make an initial assessment of:

  1. whether the reported incident is a privacy data breach;
  2. if it is a privacy data breach, whether the breach may be subject to mandatory reporting and if so any time limitations relating to that reporting;
  3. if it is a privacy data breach, the risk posed by the breach based on:
  4. the number of individuals affected by the breach;
  5. the type of personal information involved;
  6. the likelihood of serious harm to affected individuals;
  7. whether the breach or suspected breach indicates a systematic problem in the University’s processes or systems;
  8. media or stakeholder attention as a result of the breach or suspected breach; and
  9. whether remedial actions have successfully prevented harm to affected individuals.

(10) The Information Privacy Officer will provide their initial assessment to the Director, Governance Services as soon as possible. Where the incident involves a possible privacy data breach which requires mandatory reporting, the Director, Governance Services must be notified within 24 hours.

Assessment by the Director, Governance Services

(11) The Director, Governance Services may request further information from the Information Privacy Officer or relevant Head of Work Unit.

(12) The Director, Governance Services will review the initial assessment and determine:

  1. whether the incident is a privacy data breach; and
  2. if it is a privacy data breach, the risk of serious harm to either the University or an individual.

(13) If the Director, Governance Services determines that the incident is not a privacy data breach, the Information Privacy Officer and relevant Head of Work Unit will take such action as is necessary to close out the incident.

(14) If the Director, Governance Services determines that the incident is a privacy data breach but that serious harm is, at most, unlikely (based on the University Risk Matrix):

  1. the incident will not be escalated to the Privacy Data Breach Response Group;
  2. the Information Privacy Officer will record the incident in the Privacy Data Breach Register; and
  3. the Director, Governance Services will work with the Information Privacy Officer and the relevant Head of Work Unit to determine what action is necessary to close out the incident. This may include giving voluntary notification to the affected individuals and the NSW Information and Privacy Commissioner.

(15) If the Director, Governance Services determines that the incident is a privacy data breach and that serious harm is at least possible (based on the University Risk Matrix), the incident will be escalated to the Privacy Data Breach Response Group within 48 hours of the report of a data breach. The Director, Governance Services will also notify the relevant Executive members who may request to be made members of the Privacy Data Breach Response Group, for this particular breach.

Assessment by the Privacy Data Breach Response Group

(16) The Privacy Data Breach Response Group will be comprised of:

  1. Director, Governance Services (or nominee)
  2. Chief Information Officer (or nominee)
  3. Information Privacy Officer
  4. Relevant Head of Work Unit
  5. Relevant Executive members (if they have requested to be part of the Privacy Data Breach Response Group)

(17) The Privacy Data Breach Response Group may co-opt other members such as:

  1. Director, HR Services (or nominee) – where the privacy data breach involves employees
  2. Chief Marketing Officer (or nominee) – where the privacy data breach is likely to attract publicity
  3. Vice President (Students) and Registrar (or nominee) – where the privacy data breach involves a large number of students
  4. Deputy Vice Chancellor (Research and Academic Capability) (or nominee) – where the privacy data breach involves research data
  5. University Lawyer – where the privacy data breach has significant legal risks or there may be resulting legal or regulatory action.
  6. Manager, Cyber & Information Security

(18) The Director, Governance Services will convene a meeting of the Privacy Data Breach Response Group as soon as possible. The Privacy Data Breach Response Group may meet in person or via tele- or video- conference. The Privacy Data Breach Report and the results of the preliminary investigation will be provided at the first meeting of the Privacy Data Breach Response Group.

(19) The Privacy Data Breach Response Group is responsible for assessing whether:

  1. the data breach is likely to result in serious harm to one or more individuals; and
  2. the University has been able to prevent the likely risk of serious harm with remediate action.

(20) Based on their assessment of the above, the Privacy Data Breach Response Group will make a recommendation to the Vice President (Operations).

(21) On receipt of the recommendation from the Privacy Data Breach Response Group, the Vice President (Operations) will determine whether:

  1. mandatory notification to regulatory bodies such as the OAIC or affected individuals is required; and
  2. where notification is not mandatory, voluntary notification to regulatory bodies such as the OAIC, NSW IPC or affected individuals should be made.

(22) The Vice President (Operations) will make this determination as soon as possible and within any timeframes required under the relevant legislation.

(23) If the Vice President (Operations) determines that mandatory notification is not required:

  1. the Information Privacy Officer will record the incident in the Privacy Data Breach Register; and
  2. the Information Privacy Officer and the relevant Head of Work Unit will take any actions necessary to close out the incident. This may include giving voluntary notification to the OAIC, the NSW IPC or affected individuals as determined by the Vice President (Operations).

Step 3: Notify

Mandatory notification

(24) If the Vice President (Operations) determines that mandatory notification to regulatory authorities, or the affected individuals is required, the Director, Governance Services is responsible for preparing and sending out the relevant notifications with assistance from the Information Privacy Officer. The Information Privacy Officer must keep a record of all notifications.

Voluntary notification

(25) If the Vice President (Operations) determines that there should be voluntary notification to the OAIC, the NSW IPC or affected individuals, the Director, Governance Services is responsible for preparing and sending out the relevant notifications with assistance from the Information Privacy Officer. The Information Privacy Officer must keep a record of all notifications.

Additional notifications

(26) The Director, Governance Services and the Vice President (Operations) must consider whether additional people or entities should be made aware of the actual or suspected privacy data breach. For example:

  1. Internal staff – if the breach is likely to be reported on in the media or there is widespread discussion concerning the breach by staff members
  2. Insurers – if there is likely to be a claim against any of the University’s insurance policies. This will be managed by the Manager, Insurance and Risk
  3. Law enforcement agencies – if the breach involves criminal activity.

(27) In addition, if the data breach is the result of possible misconduct by a University student or staff member:

  1. a complaint may be made in accordance with the Complaint Policy – Staff; or
  2. an allegation may be made in accordance with the Rules – Student Academic and Non- Academic Misconduct Rules.

Additional considerations

(28) If law enforcement agencies are involved, the Director, Governance Services will ascertain whether notification should be withheld or delayed to avoid compromising the investigation.

(29) If the privacy data breach is likely to attract publicity, the Director, Governance Services must notify the Chief Marketing Officer so as to co-ordinate the timing and prepare content for any media release or statement.

Step 4 - Review

(30) The Director, Governance Services will conduct a post-breach review and assessment to improve personal information handling practices. The Director, Governance Services will seek informal input and assistance from the Privacy Data Breach Response Group and others as required.

(31) The Director, Governance Services will:

  1. determine whether any data handling or data security practices led or contributed to the relevant privacy data breach;
  2. consider whether there are any further actions that need to be taken as a result of the relevant privacy data breach, such as:
  3. updating security measures;
  4. reviewing and updating this privacy data breach response plan;
  5. making appropriate changes to practices, systems, other processes, policies and procedures;
  6. revising staff training practices;
  7. reviewing external vendors' security or contract terms and ongoing engagement; and
  8. considering undertaking an audit to ensure necessary outcomes are implemented.

(32) Where a privacy data breach occurs resulting in mandatory notification, the Director, Governance Services will provide a report to the Vice Chancellor's Group on the breach and the outcome.

(33) The Director, Governance Services will provide an annual report to the Vice Chancellor's Group and the Audit and Risk Management Committee regarding the incidence and outcome of privacy data breaches.