The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.
The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.
This Data Breach Response plan (response plan) sets out procedures and clear lines of authority for Timetabling Solutions staff in the event that Timetabling Solutions experiences a data breach (or suspects that a data breach has occurred).
A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse. Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations.
This response plan is intended to enable Timetabling Solutions to contain, assess and respond to data breaches in a timely fashion, to help mitigate potential harm to affected individuals. It sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist the Timetabling Solutions to respond to a data breach.
Timetabling Solutions manages personal information on behalf of its clients. It is important to stress that the data does not belong to Timetabling Solutions, it belongs to the client, and consequently any breach of client data must be communicated to the client.
Our standard practice is Timetabling Solutions will never communicate directly with people who are contained in client data - for example parents, students and staff of a school - without the explicit permission of the client. The exception is where in our view a notifiable breach has occurred and the school does not have the mechanisms to readily target notifications to the affected people, and Timetabling Solutions must discharge its obligation under the Act to notify individuals at likely risk of harm.
Stage 1: Data breach suspected or notified If a staff member discovers that a breach may have occurred (or is notified by a client), they must immediately notify Michael Wood (General Manager - Director) and/or Liam Pearce (Associate Director of Software), in person/by telephone and document via email as much detail as is known including:
● Name of School/client
● Name(s) of affected people, if known
● Evidence of breach - copies of any material which might constitute a breach
Evaluation of the breach
Michael Wood will take responsibility for evaluation of the breach:
● Evaluate if a breach has occurred, or is likely to have occurred
● Document evaluation outcomes
● Determine if a breach has occured
What constitutes a data breach?
● An eligible data breach occurs when three criteria are met:
● ‘Serious harm’ can be psychological, emotional, physical, reputational, or other forms of harm
● Understanding whether serious harm is likely or not requires an evaluation of the context of the data breach.
When to escalate a data breach?
The General Manager (GM) or the Associate Director of Software (ADS) may use discretion in deciding whether to escalating the breach to Step 3.
Some data breaches may be comparatively minor, and able to be dealt with easily without escalation.
For example, it might be discovered either a member of Timetabling Solutions staff, or a client, may as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be recalled, or if the sender can contact the recipient and the recipient agrees to delete the email, it may be that there is no utility in escalating the issue. The GM/ADS should use their discretion in determining whether a data breach or suspected data breach requires escalation. In making that determination, the GM/ADS should consider thefollowing questions:
● Are multiple individuals affected by the breach or suspected breach?
● Is there (or may there be) a real risk of serious harm to the affected individual(s)?
● Does the breach or suspected breach indicate a systemic problem in Timetabling Solutions processes or product?
● Could there be media or stakeholder attention as a result of the breach or suspected breach?
If the answer to any of these questions is ‘yes’, then it may be appropriate for the GM/ADS to escalate the issue to Step 3
GM/ADS to document minor breaches
If the GM/ADS decides not to escalate a minor data breach or suspected data breach the GM/ADS should create an incident report document, saved on the Timetabling Solutions Sharepoint repository, containing:
● description of the breach or suspected breach
● action taken by the ADS to address the breach or suspected breach
● the outcome of that action, and
● the GM’s view that no further action is required
Stage 3: Implement Data Breach Response
There is no single method of responding to a data breach. Data breaches must be dealt withon a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action. There are four key steps to consider when responding to a breach or suspected breach.
STEP 2: Evaluate the risks associated with the breach
STEP 3: Notification
STEP 4: Prevent future breaches
Step 1: Contain the breach and make a preliminary assessment
● Convene a meeting of the data breach response team
● Immediately contain breach - for example, if emails are still in queue, stop the queue and delete
● Ensure evidence is preserved that may be valuable in determining the cause of the breach, or allowing Timetabling Solutions to take appropriate corrective action
● If the breach involves client data immediately establish contact with client staff member designated as the data breach contact; in absence of a specific contact, the primary Administration contact for the client
Step 2: Evaluate the risks for individuals associated with the breach
● Conduct initial investigation, and collect information about the breach promptly, including:
○ the type of personal information involved in the breach
○ how the breach was discovered and by whom
○ the cause and extent of the breach
○ a list of the affected individuals, or possible affected individuals
○ the risk of serious harm to the affected individuals
○ the risk of other harms
● Provide this information to the client
● Discuss with client and determine whether to notify affected individuals – is there areal risk of serious harm to the affected individuals? In some cases, it may be appropriate to notify the affected individuals immediately; e.g., where there is a highlevel of risk of serious harm to affected individuals
Timetabling Solutions will request that all of its clients advise the appropriate contact person with whom Timetabling Solutions will liaise in the event of a data breach. Where a school has not provided this contact person, Timetabling Solutions will liaise with the Account Administrator (SMA Main) as designated in Timetabling Solutions CRM System.
Who to Notify
Under the Act Timetabling Solutions must notify any individuals that are at likely risk of serious harm as a result of a data breach. Timetabling Solutions must also notify the Australian Information Commissioner. There are three options for notification:
● Notify all individuals whose personal information is involved in the eligible data breach
● Notify only the individuals who are at likely risk of serious harm; or
● Publish your notification, and publicise it with the aim of bringing it to the attention of all individuals at likely risk of serious harm Timetabling Solutions will make a decision about which is the most appropriate option on consultation with the affected school.
Notification to the Australian Information Commissioner
There is an online form to notify the Commissioner: https://forms.uat.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB
Step 4: Review the incident and take action to prevent future breaches
● Fully investigate the cause of the breach
● Report to Timetabling Solutions Board on outcomes and recommendations:
○ Update security and response plan if necessary
○ Make appropriate changes to policies and procedures if necessary
○ Revise staff training practices if necessary
○ Consider the option of an audit to ensure necessary outcomes are effected
● Report to the client in summary of the outcomes and recommendation
● Notifiable Data Breaches scheme at Office of the Australian Information Commissioner: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
● Information Commissioner Webinar Slides: https://www.oaic.gov.au/resources/engage-with-us/consultations/notifiable-data-breaches/Preparing_for_the_NDB_scheme_webinar_slides.pdf