UAC Data Breach Policy

UAC Data Breach Policy and Public Notification Register

Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (the PPIP Act) sets out obligations of public sector agencies, including UAC, in relation to data breaches involving personal information.

These obligations include a requirement to prepare and publish a data breach policy and to keep a register of public notifications made to affected individuals.

The Data Breach Policy outlines the approach taken by UAC to comply with the Mandatory Notification of Data Breach (MNDB) Scheme provisions outlined in Part 6A of the PPIP Act.

Further information and resources on the MNDB Scheme are available on the website of the NSW Information and Privacy Commission.

Data Breach Policy

Effective from July 2024

1. Purpose

The purpose of this policy is to provide guidance to UAC personnel and others involved in managing a data breach.

This policy outlines the broad principles and requirements that UAC personnel, including employees and contractors, must comply with in responding to data breaches, as defined in this policy, including ‘eligible data breaches’ under Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).

UAC is committed to best-practice management of the personal information it collects and holds, and to the management of data breaches in accordance with Part 6A of the PPIP Act. Data breaches can result in serious harm to the individuals whose personal information is involved, damage UAC’s reputation and result in a breach of UAC’s legal obligations.

UAC is required to prepare and publish this data breach policy under section 59ZD of the PPIP Act.

UAC’s Data Breach Response Plan sets out the detailed procedure for managing and responding to data breaches and should also be referred to in the event of a data breach.

Where a data breach is also a cyber security incident, UAC’s Crisis Management Policy and related procedures will also apply.

2. Scope

This policy applies to:

  • employees (ongoing, temporary and casual, including those on secondment)
  • contractors (including employees, agents or subcontractors engaged by a contractor)
  • agency staff engaged to perform work for, or provide services on behalf of, UAC
  • work experience students and volunteers
  • consultants where their engagement requires adherence to the UAC’s Code of Conduct
  • any other authorised person accessing UAC’s systems, networks and/or information

all collectively defined as ‘UAC personnel’.

This policy will be reviewed and updated annually, or more frequently if required.

3. Definitions

  • Assessor – a person directed by the Privacy Officer to carry out an assessment of a data breach.
  • Crisis Management Team – a team consisting of UAC staff assembled to coordinate UAC’s response to a cyber security and/or data breach incident (whether an eligible data breach or not).
  • Cyber security incident – an occurrence or activity that may threaten the confidentiality, integrity or availability of a system or the information stored, processed or communicated by it.
  • Data breach – the unauthorised access to, unauthorised disclosure of, or a loss of, personal information held by UAC.
  • Eligible data breach – a data breach likely to result in serious harm to individuals whose personal information is involved in the data breach.
  • HRIP Act – the Health Records and Information Privacy Act 2002 (NSW).
  • Personal information – information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. In this policy, personal information also encompasses health information within the meaning of the HRIP Act and includes information about an individual’s physical or mental health, or disability, or information connected to the provision of a health service to an individual.
  • PPIP Act – the Privacy and Personal Information Protection Act 1998 (NSW).

4. Roles and responsibilities

UAC personnel must:

  • ensure that they have read this policy and the Data Breach Response Plan and that they understand what is expected of them
  • comply with the PPIP Act and HRIP Act including protecting personal information held by UAC from unauthorised access, disclosure or loss
  • immediately report a data breach or suspected data breach to the Privacy Officer
  • respond to requests for information from and cooperating with the Privacy Officer and/or the Crisis Management Team
  • otherwise complying with this policy and the Data Breach Response Plan.

The Privacy Officer is responsible for:

  • assessing the severity of data breaches involving personal information and the likelihood that a breach will result in serious harm to an individual to whom the information involved relates, and notifying the Privacy Commissioner, affected persons and others where required
  • immediately reporting all data breaches that are also cyber security incidents to the Chief Information Security Officer, if they have not already been reported.

The Chief Information Officer is responsible for:

  • immediately reporting all cyber security incidents that are also data breaches to the Privacy Officer, if they have not already been reported
  • implementing the Crisis Management Plan and related procedures if the data breach is also a cyber security incident.

A Crisis Management Team will be assembled for any data breach.

The Crisis Management Team will manage and provide advice to the Managing Director (or delegate) in relation to the data breach response.

People, known as assessors, may also be directed by the Privacy Officer to carry out an assessment of the data breach.

5. How UAC has prepared for a data breach

UAC has implemented a range of measures to ensure that it is prepared in the event of a data breach, including the following:

  • developing detailed operational plans and procedures to support this policy in the event of a data breach. Those operational plans and procedures are to be made available to relevant staff.
  • scheduling annual review and updating of this policy, or more frequent review and updating if needed
  • implementing a requirement for all UAC Personnel to complete annual privacy awareness training that outlines their responsibilities in relation to collecting, storing, using and disclosing personal information
  • implementing a Cyber Security Awareness program
  • implementing a requirement for staff to classify information in accordance with UAC’s Information Classification, Labelling and Handling guidelines
  • ensuring that, when entering into contracts that involve suppliers handling personal information on behalf of UAC, there are appropriate contractual provisions in place that require the supplier to handle personal information appropriately and securely and to provide assistance to UAC in dealing swiftly and effectively with a data breach impacting that personal information
  • carrying out cyber security risk assessments for procurement and use of digital products, tools, and vendors
  • implementing a suite of cyber security policies, standards, procedures, and guidelines
  • regularly exercising its preparation in line with the Crisis Management Policy.

6. Data breaches

6.1 What is a data breach?

A data breach occurs when there is unauthorised access to, unauthorised disclosure of, or a loss of, personal information held by UAC.

A data breach does not need to be external to UAC. A data breach can occur within UAC or by an external person without authorisation accessing data held by UAC.

Personal information means information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. In this policy, personal information also comprises health information within the meaning of the HRIP Act and includes information about an individual’s physical or mental health, or disability, or information connected to the provision of a health service to an individual.

A data breach can be caused in various ways, including by malicious actions, human error or a failure in information handling or security systems.

Examples of data breaches include:

  • malware infection affecting personal information
  • access to user accounts gained through successful phishing
  • attempts to gain unauthorised access to personal information held on UAC’s IT systems
  • the accidental loss or theft of a paper record, laptop, or USB stick containing personal information
  • an email containing personal information sent to the wrong recipient
  • an employee using work systems to look up someone else’s personal information for non-work-related reasons.

6.2 Impact of data breaches

The impact of a data breach depends on the nature and extent of the breach and the type of data that has been compromised.

A data breach can result in serious harm to an impacted individual whether the breach affects one person or several thousand.

Harm can be physical, psychological, emotional, financial or reputational.

Examples of harms include:

  • identify theft
  • financial loss
  • blackmail
  • threats to personal safety
  • humiliation
  • stigma
  • embarrassment
  • damage to reputation or relationships.

UAC may also be negatively impacted by a data breach and may experience:

  • reputational damage
  • financial loss
  • loss of public trust in UAC or the services it provides
  • threats to UAC’s systems.

6.3 Reporting of data breaches

All data breaches or suspected data breaches identified by UAC Personnel must be reported immediately to the Privacy Officer or the Chief Information Officer.

The requirement to report data breaches includes any breaches that have already been contained, for example, if a stolen laptop has been recovered, or lost hard copy files returned.

Members of the public can also report actual or suspected data breaches to UAC.

6.4 Eligible data breaches

A data breach that results in a likelihood of serious harm to an individual to whom the information relates is an eligible data breach.

An eligible data breach must be reported to the NSW Privacy Commissioner and in some cases also to the Office of the Australian Information Commissioner.

Impacted individuals must also be notified.

All notifications of eligible data breaches will be carried out by the Privacy Officer.

7. Data breach response process

UAC personnel must respond to a data breach in accordance with the Data Breach Response Plan, and if the data breach is also a cyber security incident, in accordance with the Crisis Management Policy and related procedures.

The response to a data breach will involve:

Containment

All reasonable efforts will immediately be made to contain the breach and preliminary fact-finding will be carried out.

Assessment

An assessment will be carried out to determine the severity of the breach and the likelihood that the breach will result in serious harm to an individual to whom the information involved relates (that is, to determine whether the breach is an ‘eligible data breach’). Simultaneously, steps will be taken with the aim of mitigating harm resulting from the breach.

Notification
  1. If the assessment concludes that the breach is likely to result in serious harm to an individual to whom the information relates (and so is an eligible data breach), the NSW Privacy Commissioner will immediately be notified of the breach and, unless an exemption applies, individuals affected by the breach will also be notified as soon as practicable.
  2. Where UAC is unable to notify, or where it’s not reasonably practicable to notify, any or all individuals whose personal information was the subject of the breach, UAC will publish a notification on its website in a public notification register and will take reasonable steps to publicise that notification.
  3. If the data breach involves tax file numbers, the Australian Information Commissioner may also be notified if required by the Privacy Act 1988 (Cth).
  4. If the breach is not an eligible data breach, consideration will be given to notifying individuals and the NSW Privacy Commissioner.
Review

A review of the breach will be carried out, including to identify steps that may be taken to prevent future breaches. All eligible data breaches will be added to UAC’s internal register of eligible data breaches, as required under the PPIP Act.

The Crisis Management Team will coordinate UAC’s response to the breach.

8. Contacts

8.1 UAC

Members of the public should report data breaches involving UAC by completing an online enquiry form or by emailing privacy@uac.edu.au.

UAC staff should report data breaches by emailing privacy@uac.edu.au.

8.2 External

Information and Privacy Commission
1800 472 679
ipcinfo@ipc.nsw.gov.au

Office of the Australian Information Commissioner
1300 363 992
enquiries@oaic.gov.au

Register of Public Notifications

The PPIP Act requires UAC to keep a register of all public notifications of eligible data breaches and to make that register available on its website.

A public notification is provided when it is not reasonably practicable to notify any or all of the individuals affected by the breach directly.

Register of all public notifications made by UAC in the previous 12 months:

UAC data breach identifierDate of data breachDate UAC became aware of data breachDescription of data breachType of data breach
N/A: There have been no notifications made in the previous 12 months.

Public reporting of data breaches

Members of the public can report suspected data breaches involving personal information held by UAC using the online enquiry form.