Data Breach Policy
On this page
Purpose | Scope | Principles | Policy statements | Roles and responsibilities | Definitions | Approval information | Version history | References | Appendix 1: Data breach response steps
1. Purpose
1.1 The Data Breach Policy (the policy) provides a framework for how UTS identifies, responds to and manages a data breach involving personal information and/or health information (hereafter personal information).
1.2 This policy:
- applies to all actual and suspected data breaches involving personal information
- supports the university’s obligations under the Mandatory Notification of Data Breach (MNDB) Scheme under Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA)
- supports the university’s obligations under the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cwlth), and
- supports data breach obligations that may apply to UTS under other privacy laws or contracts where relevant.
2. Scope
2.1 This policy applies to all staff and affiliates (hereafter staff), students and contracted service providers.
2.2 This policy does not cover bodies that operate independently of the university’s governance framework, including controlled or associated entities of UTS.
2.3 Data breaches that do not involve personal information are managed in line with the Records Management Policy and the Information Security Policy as appropriate.
3. Principles
3.1 The principles outlined in the Privacy Policy apply to this policy. In addition to those principles, UTS will:
- work to limit and prevent data breaches by continually improving its information management practices
- have systems in place to identify data breaches, and
- respond to any suspected or actual data breaches in line with legislative obligations and community expectations.
4. Policy statements
Risks and controls
4.1 In line with the MNDB Scheme, UTS will:
- publish and maintain this policy for the management of data breaches involving personal information (hereafter data breaches), and
- notify the NSW Privacy Commissioner and affected individuals of an eligible data breach (refer Definitions) where required.
4.2 A data breach may occur in situations where, for example:
- user credentials are exposed, resulting in unauthorised access or removal of personal information from UTS systems
- personal information is emailed to the wrong recipient
- personal information is not handled or stored in accordance with the correct security classification or with the required security or access controls
- a portable device or physical record is lost in a public place
- personal information is accessed by external actors through a cyber attack, or
- someone’s legitimate access to information is misused.
4.3 The scale and impact of a data breach can be affected by several data management practices. These include:
- collecting personal information that is not necessary
- keeping personal information for too long
- system security and access controls
- the type of individual affected (for example, vulnerable people), and
- the intentions of those concerned (whether the breach was malicious in nature).
4.4 Contracted service providers that perform UTS functions involving personal information (for example, hosting systems) must have appropriate data breach clauses in their contract to meet UTS’s obligations under this policy, including at a minimum:
- timeframes for reporting suspected data breaches to UTS
- requirements for cooperation in assessing and mitigating a data breach, and
- where relevant, notification responsibilities.
4.5 UTS will develop, implement and maintain a data breach response plan (available at Data breaches (SharePoint)). The plan:
- aligns with the critical incident response framework (refer Critical Incident Response Policy)
- aligns with the Information Security Policy Framework (refer Beyond the firewall: UTS Cybersecurity (SharePoint)), and
- outlines data breach reporting and response mechanisms in line with this policy.
Reporting a data breach
4.6 Staff must report all suspected or actual data breaches as soon as possible, and normally within 24 hours of becoming aware of the breach, to the UTS Privacy Officer (refer Privacy contacts) and the cybersecurity team in the Information Technology Unit (ITU) via data.breach@uts.edu.au
4.7 Once a suspected data breach is reported, data breach response steps must be followed as outlined in Appendix 1.
4.8 Students are also strongly encouraged to come forward to report a suspected or actual data breach.
4.9 The UTS Privacy Officer will determine whether the data breach report could be a suspected eligible data breach under the MNDB Scheme. Suspected eligible data breaches are forwarded to the Director, Governance Support Unit (GSU) for management under the MNDB Scheme.
Containing a data breach
4.10 Staff who have identified a data breach must take immediate steps to reduce the impact of the data breach (refer Appendix 1 and the data breach response plan (available at Data breaches (SharePoint)).
4.11 Containment action and support must be obtained from ITU and the cybersecurity team (for cybersecurity-related incidents) or Security and Emergency Management (for physical incidents) until the incident is resolved.
Responding to a data breach
4.12 Where a data breach involves data from another agency or third party (including a controlled or associated entity) the Director, GSU will advise and consult with the relevant party regarding the responsibilities and steps needed to respond to the breach.
4.13 Where required, based on the size and suspected severity of the incident, a data breach response team may be established by the Director, GSU to further respond to and manage the incident in line with the data breach response plan.
4.14 In some cases, the data breach response team may escalate the incident as a critical incident in line with the Critical Incident Response Policy.
Determining eligible data breaches
4.15 Where an eligible data breach is suspected, the Director, GSU will appoint an assessor to confirm whether the data breach meets the requirements of an eligible data breach under the MNDB Scheme and in line with this policy.
4.16 The assessor:
- may be a UTS staff member, a staff member of another public sector agency or another person with sufficient expertise, and
- must not have been involved (or suspected to have been involved) in an action or omission that led to the relevant data breach.
4.17 The assessor must:
- complete their assessment as soon as possible, and at least within 30 days of the initial report of the data breach having been received, unless this timeframe is extended in accordance with the MNDB Scheme by the Director, GSU (refer data breach response plan (available at Data breaches (SharePoint)), and
- advise the Director, GSU if an eligible data breach has, or is likely to have, occurred.
4.18 The Director, GSU will determine, based on the assessor’s report, whether the breach is managed as an eligible data breach. If it is determined to be an eligible data breach, appropriate communications and immediate notifications must occur.
Data breach communications strategy
4.19 To meet the requirements of the MNDB Scheme, and support the data breach response plan, UTS will develop a data breach communications strategy to identify specific roles, responsibilities and communications in the event of an eligible data breach. The strategy must outline:
- who is responsible for communications and other key contacts for communications activities
- a timeline for when affected individuals or organisations will be notified
- how affected individuals will be contacted and managed
- a template of requirements for eligible data breach communications (data breach communications response template), and
- responsibilities for consulting with external stakeholders.
4.20 The Head of Communications, Marketing and Communications Unit is responsible for developing the communications strategy. In the event of an eligible data breach, the Head of Communications will develop a data breach communications plan specific to the requirements of the data breach as part of the data breach response plan.
Data breach notifications
4.21 Once an eligible data breach is determined, the Director, GSU will:
- immediately notify the NSW Privacy Commissioner
- as soon as possible, notify affected individuals (unless an exemption is applied in line with Division 4, Part A of the PPIPA)
- as soon as possible, and where relevant to that jurisdiction (for example, a data breach relating to tax file numbers or student fee data, or where reporting is required under a contract), notify the Australian Information Commissioner.
4.22 The Director, GSU may be required to notify a privacy regulator in another jurisdiction under applicable privacy laws.
4.23 Affected individuals under this policy will be notified using the relevant primary communication method for that cohort or individual, for example, via student or staff email accounts or by phone as appropriate. Alternative communication methods may also be used as required and appropriate on a case-by-case basis.
4.24 Where UTS is unable to notify all affected individuals, a notice will be included on the public notification register. The public notification register forms part of the communications strategy for notifying affected individuals in cases where they are not able to be notified otherwise.
4.25 UTS may, with the approval of the relevant data steward, notify individuals affected by a data breach that is not an eligible data breach.
4.26 UTS may engage with and notify other parties in response to a data breach where deemed appropriate on a case-by-case basis. This may include but is not limited to:
- Australian Cyber Security Centre (approved and undertaken by the cybersecurity team)
- third party organisations or agencies whose data may be affected (approved by the relevant data stewards and contract manager, in consultation with the Office of General Counsel (OGC))
- insurers (approved by the Director, Risk or the General Counsel and Executive Director, Risk and Compliance).
Post-breach review and evaluation
4.27 The UTS Privacy Officer, with the support of the data breach response team (where established), must conduct a post-breach review and evaluation to:
- identify weaknesses in the processes, systems or activities that may have contributed to the breach
- assess the effectiveness of UTS’s data breach response activities under this policy
- develop a proposed action plan of preventative measures and mitigation strategies to be put in place for each identified weakness for the approval of the Director, GSU, and
- propose relevant updates to the Privacy Management Plan (available at Privacy regulations), the data breach response plan and this policy.
Capability, expertise and resourcing
4.28 UTS recognises the need for data breaches to be responded to quickly and effectively. To meet this requirement UTS may work with internal and external experts to prepare for, respond to, manage and/or improve responses to data breaches.
4.29 Staff responsible for the management or coordination of data breach responses will receive the appropriate training in implementing this policy and the data breach response plan.
Records management and privacy
4.30 Any records created in response to a data breach, including but not limited to tracking, reporting, assessing and determining eligible data breach status, management activities, communications and notifications must be managed in line with the Records Management Policy.
4.31 The privacy of affected individuals must be maintained in line with the Privacy Policy. Exemptions to specific privacy obligations may be applied in accordance with the MNDB Scheme.
Policy breaches and complaints
4.32 Breaches of this policy will be managed under the Code of Conduct and relevant Enterprise agreements, or the UTS Student Rules as appropriate.
4.33 Data breaches identified as part of a public interest disclosure must also be managed in line with the Whistleblowing and Public Interest Disclosures Policy.
4.34 Any complaints or privacy internal review requests arising from a data breach will be managed in line with the Privacy Policy.
5. Roles and responsibilities
5.1 Policy owner: The Director, Governance Support Unit is responsible for enforcement of and compliance with this policy as well as general oversight of records, information and privacy management at UTS.
The Director, Governance Support Unit is also responsible for the management of suspected eligible data breaches under the MNDB Scheme. The Director, GSU may seek advice from the UTS Privacy Officer, the Chief Data Officer and the General Counsel and Executive Director, Risk and Compliance as required.
5.2 Policy contact: The UTS Privacy Officer is responsible for:
- approving and disseminating procedures and guidelines to implement and support compliance with this policy (at a university-wide level, or activity basis, as appropriate), including the data breach response plan
- testing and reviewing the data breach response plan annually
- incorporating requirements of data breach reporting generally, and the MDBN Scheme, into privacy procedures and training
- supporting data breach responses and providing guidance and advice on meeting the requirements of the MDBN Scheme and other data breach reporting obligations as relevant
- maintaining an internal eligible data breach register to record summary details of eligible data beaches as required under the MNDB Scheme, and
- maintaining the public notification register.
5.3 Implementation and governance roles:
The Vice-Chancellor, as the head of agency for UTS under the MNDB Scheme, must retain responsibility and oversight of certain functions. The functions are assigned (or delegated) by the Vice-Chancellor as authorised under section 59ZJ of the PPIPA.
Table 5.3: Vice-Chancellor assignments under the PPIPA
Responsibility of the head of agency under the MNDB Scheme | Assigned to |
---|---|
Receive reports of suspected eligible data breaches | Director, Governance Support Unit |
Take reasonable efforts to contain a data breach |
|
Determine an eligible data breach, including:
| Director, Governance Support Unit |
Notification of an eligible data breach | Director, Governance Support Unit |
Publish and review of the Data Breach Policy | Director, Governance Support Unit |
Maintain a public notification register | UTS Privacy Officer |
Maintain an internal eligible data breach register | UTS Privacy Officer |
Data stewards are responsible for promoting awareness to their staff of their obligations under this policy to report a suspected data breach.
The Head of Communications, Marketing and Communications Unit is responsible for developing the data breach communications strategy in collaboration with the Director, Governance Support Unit, the UTS Privacy Officer and the Chief Data Officer.
All staff are required to:
- report a suspected data breach as soon as they suspect, or are first aware of, the breach as required under the MNDB Scheme
- take immediate steps to contain a data breach, including advising relevant staff (for example, ITU or Security and Emergency Management) who can take immediate action, and
- participate in and support the response to a data breach or a post-breach review under this policy where required to do so.
6. Definitions
The following definitions apply for this policy, the data breach response plan and all associated procedures. Definitions in the singular also include the plural meaning of the word.
Affiliate is defined in the Code of Conduct.
Critical incident is defined in the Critical Incident Response Policy.
Data breach means the loss, unauthorised access, disclosure or modification of personal information. A data breach involving personal or health information must be managed in line with this policy, the data breach response plan (available at Data breaches (SharePoint)), the Privacy Policy and the Privacy Management Plan (available at Privacy regulations).
Data steward is defined in the Data Governance Policy.
Disclosure is defined in the Privacy Policy.
Eligible data breach means a data breach where a reasonable person would consider the data breach to likely result in serious harm to the individual or individuals to whom the information relates.
Health information is defined in the Privacy Policy.
MNDB Scheme means the Mandatory Notification of Data Breach Scheme under Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA).
Personal information is defined in the Privacy Policy. For the purposes of this policy, and the data breach response plan, personal information includes sensitive personal information and health information.
Privacy laws is defined in the Privacy Policy.
Privacy internal review is defined in the Privacy Policy.
Sensitive personal information is defined in the Privacy Policy.
Serious harm means a situation where there may be a real or substantial detrimental effect on an individual as a result of a data breach. This may include physical harm, economic or financial harm, emotional or psychological harm, or reputational harm. Further guidance is available in the Information and Privacy Commission of New South Wales: Guidelines on the assessment of data breaches under Part 6A of the PIPP Act.
Approval information
Policy contact | UTS Privacy Officer |
---|---|
Approval authority | Vice-Chancellor |
Review date | 2024 (reviewed annually) |
File number | UR23/1050 |
Superseded documents | New policy (replaces data breach provisions from the Privacy Policy). |
Version history
Version | Approved by | Approval date | Effective date | Sections modified |
---|---|---|---|---|
1.0 | Vice-Chancellor | 10/11/2023 | 23/11/2023 | New policy. |
References
Critical Incident Response Policy
Data breach response plan (available at Data breaches (SharePoint))
Health Records and Information Privacy Act 2002 (NSW) (HRIPA)
Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA)
Privacy Management Plan (available at Privacy regulations)
Appendix 1: Data breach response steps
Effective data breach response comprises 6 steps. Some steps need to occur concurrently for an effective response. This table outlines the individual steps and required actions as part of an effective response to a data breach.
Table: Data breach response steps
Step | Action |
---|---|
1. Report | Actual and suspected data breaches reported in line with this policy. Refer Reporting a data breach. |
2. Contain | Contain the breach to stop or reduce impact and scale. Immediate containment actions may include stopping a process, removing access to an information system, changing passwords or recalling an email sent in error. Containment to start as soon as possible from when a breach is first suspected and may be concurrent to reporting. Containment needs to continue to remediation and resolution of the incident. Refer Containing a data breach. |
3. Respond | Establish a data breach response team where required. Develop a communications plan where required. Refer Responding to a data breach and Data breach communications strategy. |
4. Assess | The Director, Governance Support Unit (GSU) will appoint one or more assessors to determine whether a suspected data breach meets the requirements of an eligible data breach under the MNDB Scheme. The assessment is to be completed as soon as possible and at least within 30-days from the initial report. The Director, GSU will decide, based on assessor’s advice, whether an eligible data breach has, or is believed to have, occurred. Note: If the data involved may be covered by other jurisdictions (for example, China or the European Union) different reporting timelines may apply. |
5. Notify | Where an eligible data breach has occurred, the Director, GSU will facilitate the notification of relevant privacy regulators and affected individuals. Refer Data breach notifications. |
6. Review | A post-breach review must be undertaken following the response to a data breach and should propose ongoing actions and mitigation strategies. |