View Categories

Notifiable Data Breaches

8 min read

Overview #

Rehoboth is committed to the management of personal information in accordance to the Commonwealth Privacy Act 1988 (Cth), Australian Privacy Principles and the School Privacy policy.

The Privacy Act has been updated to include the Notifiable Data Breach Scheme which came into effect in February 2018. The NDB requires that in the event of an eligible data breach, Individuals at risk of serious harm from the data breach are notified, along with the Office of the Australian Information Commissioner (OAIC).

Rehoboth needs to be prepared to respond quickly in the event of a data breach and make an assessment as to whether the breach is likely to cause serious harm and is eligible to be reported. The NDB policy aims to ensure that suspected or eligible data breaches are dealt with in accordance with the Privacy Act 1988 and the Notifiable Data Breaches (NDB) Scheme.

Rationale and Scope #

This policy applies to all permanent, fixed term and casual employees at Rehoboth Christian College teaching and non-teaching. It also extends to contractors and volunteers (relevant individuals) engaged to undertake work on behalf of the school.

References #

  1. Commonwealth Government 1988, Privacy Act;
  2. Office of the Australian Information Commissioner (OAIC) 2014, Australian Privacy Principals;
  3. Office of the Australian Information Commissioner (OAIC) 2018, Data Breach Notification Guide: A Guide to Handling Personal Information Security Breaches;
  4. Office of the Australian Information Commissioner (OAIC) 2018, Data Breach Preparation & Response;
  5. Office of the Australian Information Commissioner (OAIC) 2017, What to Include in an Eligible Data

Definitions #

  1. Data Breach: A data breach occurs where ‘personal information held by an organisation is lost or
    subjected to unauthorised access, modification, disclosure, or other misuse or interference.’
  2. Notifiable Data Breach (NDB): A notifiable data breach is defined as a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
  3. Eligible Data Breach: An eligible data breach occurs when all three criteria are met:
    1. There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
    2. This is likely to result in serious harm to one or more individuals and
    3. The entity has not been able to prevent the likely risk of serious harm with remedial action.
  4. Notifiable Data Breach Scheme (NDBS 2018): An amendment to the Commonwealth Privacy Act 1988 (Cth) that requires school’s & other organisations to notify an Eligible Data Breach to affected individual(s) and the Office of the Australian Information Commissioner (OAIC).
  5. Personal Information: Personal information is defined as, information or an opinion, whether true or not, and whether recorded in material form or not, about an identified individual, or an individual whose identity is reasonably apparent, or can be determined, from the relevant information or opinion and includes such information as a person’s name, address, financial information, marital status or billing details. Personal Information includes ‘Sensitive Information’ and ‘Health Information’.
  6. Sensitive information: is information or opinion about a set of specific characteristics, including a person’s racial or ethnic origin, political opinions or affiliations, religious beliefs or affiliations, philosophical beliefs, sexual preferences or practices; or criminal record. It also includes health information.
  7. Individual: Includes students, parents/guardians, prospective parents/guardians, staff, prospective staff, volunteers, alumni, suppliers, visitors, contractors and board members.
  8. Serious Harm: May include physical, psychosocial, emotional, economic, financial harm or reputation damage resulting from any Data Breach.

Processes When a Data Breach Occurs or is Suspected #

  1. Where a Data Breach is known to have occurred or is suspected to have occurred, the staff members who identify this must bring it to the immediate attention of the School Principal, or in their absence, a member of the School Leadership Team.
  2. Information that must be provided at this point includes:
    1. When the breach occurred (time and date)
    2. Description of the breach (type of personal information involved)
    3. Cause of the breach (if known) otherwise how it was discovered
    4. Which system(s) if any are affected
    5. Which directorate/faculty/institute is involved
    6. Whether corrective action has occurred to remedy or ameliorate the breach (or
      suspected breach).

See Appendix 1 for Data Breach Process Form to assist in documenting the required information.

Assess and Determine the Potential Impact #

Once the Principal, Members of the Leadership Team (The Response Team) has been notified of the information above, consideration will be given as to whether a Data Breach has (or is likely to have) occurred and make a preliminary judgement as to its severity.

Criteria for Determining whether a Data Breach has Occurred #

The following aspects will be considered when determining whether a Data Breach has occurred:

  1. Is personal information involved?
  2. Is the personal information of a sensitive nature? (Refer to Definitions)
  3. Has there been unauthorised access to personal information, or unauthorised disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur.

Criteria for Determining Severity #

The following criteria will be considered when determining the severity of any Data Breach:

  1. The type and extent of personal information involved
  2. The number of individuals that have been affected
  3. Whether the information is protected by any security measures (password protection or encryption)
  4. The person or kinds of people who now have access to the information
  5. Whether there is, or could there be a real risk of ‘serious harm’ (physical, psychosocial, emotional, economic, financial harm or reputation) to the affected individual(s)
  6. The possibility that there could be media or stakeholder attention as a result of the
    breach or suspect breach.

See Appendix 2 for Data Breach Process Form to assist in assessing and determining the severity of any Data Breach.

Non-Eligible Data Breach #

  1. Upon review of the information provided, the Response Team will determine whether the breach is eligible for notification to the OAIC. Where it has been determined that a Data Breach has occurred and it is assessed not to cause ‘serious harm’ to the individual(s) affected, the breach will be managed at a school level by the Response Team.
  2. To ensure an appropriate response to the identified breach the Response Team will:
    1. Immediately contain the breach
    2. Immediately inform all members of the School Board and other key stake holders
    3. Ensure that immediate corrective action is taken if this has not already occurred. This action may include but not be limited to informing all affected individuals of the breach
    4. Retrieval or recovery of the personal information
    5. Ceasing authorised access to the information
    6. Shutting down or isolating the affected system
    7. Prepare a briefing for Staff Members and the School Board.
  3. Prepare a report containing the following:
    1. A description of the breach or suspected breach
    2. The corrective action taken
    3. Responsibilities and a timeframe for achieving the actions
    4. The outcome of action taken
    5. Processes to be implemented to prevent reoccurrence.

Eligible Data Breach #

  1. If there are reasonable grounds to deem the Data Breach to have the potential to cause ‘serious harm’ and be ‘eligible of notification’, the Response Team will immediately prepare a Notifiable Data Breach Statement.
  2. The Notifiable Data Breach Statement must be finalised within 30 days and be submitted to the OAIC via its website. A Notifiable Data Breach Form may also be completed online via the OAIC website.
  3. The statement will be lodged by the Principal or a delegated representative. Once the Notifiable Data Breach Statement has been lodged the Response Team conduct a review of all aspects to:
    1. Determine remedial action/s required to reduce the likelihood of reoccurrence
    2. Ensure all relevant policies, procedures and processes are comprehensively reviewed and amended
    3. Prepare a report / briefing for Staff Members and the School Board
    4. Prepare a communication for the Parent Community outlining the breach, it’s causes, and action
    5. Taken to contain, inform affected individual(s) and to prevent re-occurrence

Appendix 1 - Data Breach Process Form #

Data Breach Information

Date of Breach:

 

Anticipated Time of Breach:

 

Description of Breach:

Describe the type of personal information involved eg contact details, dates of birth.

☐ Financial Details

☐ Contact Information

☐ Health Information

☐ Other Sensitive Information

☐ Other

Cause of Breach:

If known, describe how the Data Breach was discovered.

Which System(s) if Any Are

Affected?

 

Has Action Been Taken to Correct or Remedy the Breach?

 

Other Background Information

 

 

Reporting Staff Member:

 

Date

 

Appendix 2 - Assessment & Determination of Potential Impact #

Criteria for determining whether a Data Breach has occurred:

Is Personal Information involved?

Yes □ / No □

Is the Personal Information of a Sensitive Nature?

Yes □ / No □

Sensitive Information: person’s racial or ethnic origin, political opinions or affiliations, religious beliefs, philosophical beliefs, sexual preferences or practices; or criminal record.

Has there been unauthorised access loss, disclosure of personal information where access to the information is likely to occur?

Yes □ / No □

 

Criteria for determining the severity of the Data Breach:

What type of Personal Information was involved & to what extent?

 

Have multiple individuals been affected?

Yes □ / No □

If yes, provide further details

Is the information protected by any security measures?

Yes □ / No □

If yes, provide further details

Provide details on the person or kinds of people who now have access to the information:

 

Determine whether there is, or could be a real risk of ‘serious harm’ to the affected individuals.

Serious physical, psychosocial, emotional, economic, financial harm or reputation damage.

Determine if there could be media or external stakeholder attention as a result of the breach or suspected breach.

 

Other relevant Information

 

Appendix 3 - Data Breach Response Process #