Open the article in a separate window
Introduction
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.
The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.
This Data Breach Response plan (response plan) sets out procedures and clear lines of authority for Timetabling Solutions staff in the event that Timetabling Solutions experiences a data breach (or suspects that a data breach has occurred).
A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use disclosure or other misuse. Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations.
This response plan is intended to enable Timetabling Solutions to contain, assess and respond to data breaches in a timely fashion to help mitigate potential harm to affected individuals. It sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist Timetabling Solutions in responding to a data breach.
Timetabling Solutions manages personal information on behalf of its clients. It is important to stress that the data does not belong to Timetabling Solutions; it belongs to the client, and consequently, any breach of client data must be communicated to the client.
Our standard practice is Timetabling Solutions will never communicate directly with people who are contained in client data - for example, parents, students and staff of a school - without the explicit permission of the client. The exception is where, in our view, a notifiable breach has occurred, the school does not have the mechanisms to readily target notifications to the affected people, and Timetabling Solutions must discharge its obligation under the Act to notify individuals at likely risk of harm.
Stage 1:
Data breach suspected or notified If a staff member discovers that a breach may have occurred (or is notified by a client), they must immediately notify Michael Wood (General Manager - Director) and/or Liam Pearce (Associate Director of Software), in person/by telephone and document via email as much detail as is known including:
● Name of School/client
● Name(s) of affected people, if known
● Evidence of breach - copies of any material which might constitute a breach
Evaluation of the breach
Michael Wood will take responsibility for the evaluation of the breach:
● Evaluate if a breach has occurred or is likely to have occurred
● Document evaluation outcomes
● Determine if a breach has occurred
What constitutes a data breach?
● An eligible data breach occurs when three criteria are met:
○ There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
○ This is likely to result in serious harm to one or more individuals and
○ The entity has not been able to prevent the likely risk of serious harm with remedial action
● ‘Serious harm’ can be psychological, emotional, physical, reputational, or other forms of harm
● Understanding whether serious harm is likely or not requires an evaluation of the context of the data breach.
When to escalate a data breach?
The General Manager (GM) or the Director of Software (DS) may use discretion in deciding whether to escalate the breach to Step 3.
Some data breaches may be comparatively minor and able to be dealt with easily without escalation.
For example, it might be discovered either a member of Timetabling Solutions staff or a client may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be recalled, or if the sender can contact the recipient and the recipient agrees to delete the email, it may be that there is no utility in escalating the issue. The GM/DS should use their discretion in determining whether a data breach or suspected data breach requires escalation. In making that determination, the GM/DS should consider the following questions:
● Are multiple individuals affected by the breach or suspected breach?
● Is there (or may there be) a real risk of serious harm to the affected individual(s)?
● Does the breach or suspected breach indicate a systemic problem in Timetabling Solutions processes or products?
● Could there be media or stakeholder attention as a result of the breach or suspected breach?
If the answer to any of these questions is ‘yes’, then it may be appropriate for the GM/ADS to escalate the issue to Step 3
GM/DS to document minor breaches
If the GM/DS decides not to escalate a minor data breach or suspected data breach, the GM/DS should create an incident report document, saved on the Timetabling Solutions Sharepoint repository, containing the following:
● description of the breach or suspected breach
● action taken by the DS to address the breach or suspected breach
● the outcome of that action, and
● the GM’s view that no further action is required
Stage 3: Implement Data Breach Response
There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis by undertaking an assessment of the risks involved and using that risk assessment to decide the appropriate course of action. There are four key steps to consider when responding to a breach or suspected breach.
STEP 1: Contain the breach and do a preliminary assessment
STEP 2: Evaluate the risks associated with the breach
STEP 3: Notification
STEP 4: Prevent future breaches
The response team should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession.
Step 1: Contain the breach and make a preliminary assessment
● Convene a meeting of the data breach response team
● Immediately contain breach - for example, if emails are still in the queue, stop the queue and delete
● Ensure evidence is preserved that may be valuable in determining the cause of the breach or allowing Timetabling Solutions to take appropriate corrective action
● If the breach involves client data, immediately establish contact with the client staff member designated as the data breach contact; in the absence of a specific contact, the primary Administration contact for the client
Step 2: Evaluate the risks for individuals associated with the breach
● Conduct an initial investigation and collect information about the breach promptly, including:
○ the date, time, duration, and location of the breach
○ the type of personal information involved in the breach
○ how the breach was discovered, and by whom
○ the cause and extent of the breach
○ a list of the affected individuals or possible affected individuals
○ the risk of serious harm to the affected individuals
○ the risk of other harms
● Provide this information to the client
● Discuss with the client and determine whether to notify affected individuals – is there a real risk of serious harm to the affected individuals? In some cases, it may be appropriate to notify the affected individuals immediately, e.g., where there is a high level of risk of serious harm to affected individuals
School Contacts
Timetabling Solutions will request that all of its clients advise the appropriate contact person with whom Timetabling Solutions will liaise in the event of a data breach. Where a school has not provided this contact person, Timetabling Solutions will liaise with the Account Administrator (SMA Main) as designated in the Timetabling Solutions CRM System.
Who to Notify
Under the Act, Timetabling Solutions must notify any individuals who are at likely risk of serious harm as a result of a data breach. Timetabling Solutions must also notify the Australian Information Commissioner. There are three options for notification:
● Notify all individuals whose personal information is involved in the eligible data breach
● Notify only the individuals who are at likely risk of serious harm or
● Publish your notification and publicise it with the aim of bringing it to the attention of all individuals at likely risk of serious harm. Timetabling Solutions will make a decision about which is the most appropriate option in consultation with the affected school.
Notification to the Australian Information Commissioner
There is an online form to notify the Commissioner: https://forms.uat.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB
Step 4: Review the incident and take action to prevent future breaches
● Fully investigate the cause of the breach
● Report to the Timetabling Solutions Board on outcomes and recommendations:
○ Update security and response plan if necessary
○ Make appropriate changes to policies and procedures if necessary
○ Revise staff training practices if necessary
○ Consider the option of an audit to ensure necessary outcomes are affected
● Report to the client a summary of the outcomes and recommendation
Further Information
● Notifiable Data Breaches scheme at Office of the Australian Information Commissioner: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
● Information Commissioner Webinar Slides: https://www.oaic.gov.au/resources/engage-with-us/consultations/notifiable-data-breaches/Preparing_for_the_NDB_scheme_webinar_slides.pdf