The College is committed to protecting the privacy of personal information. The College is required to comply with a number of privacy laws including the Privacy Act 1988 (Cth) (the Act), the Australian Privacy Principles contained in the Act (APPs) and the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act). The APPs regulate the manner in which personal information is handled by the College.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act) established a Notifiable Data Breaches (NDB) scheme requiring organisations covered by the Act to notify any individuals likely to be at risk of serious harm by a data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Adherence to this Procedure and Response Plan will ensure that Eastern College Australia can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.
This Procedure and Response Plan has been informed by:
- The Office of the Australian Information Commissioner’s “Data breach notification guide: a guide to handling personal information security breaches”
- Notifiable Data Breach Act
- The Act and Australian Privacy Principles (Schedule 1 of the Act)
As an education provider, and an employer, the College is required to collect, use and disclose personal information. Personal information includes all information or opinion, whether true or not and whether recorded in a material form or not, about an individual. This includes (but is not limited to) the information that the College holds in relation to students, staff, contractors, and even information regarding individuals who attend College functions.
The APPs specifically require the College to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. This Policy is part of the College's endeavours to comply with this obligation.
This Policy sets out the processes to be followed by College staff in the event that the College experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.
Eastern College Australia recognises the importance of ensuring that appropriate measures are in place to:
- effectively respond to an actual or suspected data breach involving data or information in any form or medium held by the College (Data); and
- ensure compliance with the relevant legislative framework under the Privacy Act 1988 (Cth) (the Act) concerning personal information data breaches.
2.1 This Policy applies to all employees (full time, part-time, casual or volunteer) of the College.
Australian Privacy Principles (APPs) means the 13 APPs set out in Schedule 1 of the Act.
Data breach means the loss, unauthorised access to, or disclosure of, personal information.
Loss means accidental or inadvertent loss of personal information likely to result in unauthorised access or disclosure. For example, an employee leaves a copy of a document or a device on public transport. If data can be deleted remotely or is encrypted it will not constitute an NDB.
Notifiable Data Breach (NDB) is a data breach that is likely to result in serious harm to any of the individuals to whom the personal information relates. A NDB occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. In such circumstances, the College must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Privacy Amendment (Notifiable Data Breaches) Act 2017
Personal information means information or an opinion in any form about an identifiable individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not.
Sensitive formation means information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record, or health information, genetic information or biometric information.
Serious harm is determined with regard to the following list of relevant matters as provided for in section 26WG of the Privacy Amendment (Notifiable Data Breaches) Act 2017: the kind or kinds of information;
- the sensitivity of the information;
- whether the information is protected by one or more security measures;
- if the information is protected by one or more security measures—the likelihood that any of those security measures could be overcome;
- the persons, or the kinds of persons, who have obtained, or who could obtain, the information;
if a security technology or methodology:
- was used in relation to the information; and
- was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information;
the likelihood that the persons, or the kinds of persons, who:
- have obtained, or who could obtain, the information; and
- have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates;
- have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology;
- the nature of the harm;
- any other relevant matters.
Unauthorised access means personal information accessed by someone who is not permitted to have access. This could include an employee of the entity, a contractor or external third party (such as hacking).
Unauthorised disclosure means where an entity releases/makes visible the information outside the entity in a way not permitted by the Privacy Act. For example, an employee accidently publishes a confidential data file containing personal information on the internet.
3. Process where a data breach occurs or is suspected
Where a privacy data breach is known to have occurred (or is suspected) any member of the College staff who becomes aware of this must, within 24 hours, alert the Vice Principal (Community & Operations).
The Information that should be provided (if known) at this point includes:
- When the breach occurred (time and date)
- Description of the breach (type of personal information involved)
- Cause of the breach (if known) otherwise how it was discovered
- Which system(s) if any are affected?
f) Whether corrective action has occurred to remedy or ameliorate the breach (or suspected breach)
A template can be found at Appendix A to assist in documenting the required information.
3.2. Assess and determine the potential impact
Once notified of the information above, the Vice Principal (Community & Operations) must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The General Manager and the Information Systems Manager should be contacted for advice.
3.2.1 Criteria for determining whether a privacy data breach has occurred
a) Is personal information involved?
b) Is the personal information of a sensitive nature?
c) Has there been unauthorised access to personal information, or unauthorised disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur?
3.2.2 Criteria for determining severity
a) The type and extent of personal information involved
b) Whether multiple individuals have been affected
c) Whether the information is protected by any security measures (password protection or encryption)
d) The person or kinds of people who now have access
e) Whether there is (or could there be) a real risk of serious harm to the affected individuals
f) Whether there could be media or stakeholder attention as a result of the breach or suspect breach
3.3 Having considered the matters in 3.2.1 and 3.2.2, the Vice Principal (Community & Operations) must issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Data Breach Response Team (Response Team). This will depend on the nature and severity of the breach.
3.3.1 Data breach managed at the College level
Where the Vice Principal (Community & Operations) instructs that the data breach is to be managed at the local level he/she must:
- ensure that immediate corrective action is taken, if this has not already occurred (corrective action may include: retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system); and
submit a report to the College Executive within 48 hours of receiving instructions under 3.3. The report must contain the following:
- Description of breach or suspected breach
- Action taken
- Outcome of action
- Processes that have been implemented to prevent a repeat of the situation.
- Recommendation that no further action is necessary
The College Executive will sign-off that no further action is required.
The report will be logged by the General Manager.
3.3.2 Data breach managed by the Response Team
Where the Vice Principal (Community & Operations) instructs that the data breach must be escalated to the Response Team, he/she will convene the Response Team and notify the Executive Principal. The Response team will consist of:
- Vice Principal (Community & Operations)
- Information Systems Manager
- General Manager
- Executive Principal’s PA
3.4. Primary role of the Response Team
There is no single method of responding to a data breach and each incident must be dealt with on a case by case basis by assessing the circumstances and associated risks to inform the appropriate course of action. The following steps may be undertaken by the Response Team (as appropriate):
- Immediately contain the breach (if this has not already occurred). Corrective action may include: retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system.
- Evaluate the risks associated with the breach, including collecting and documenting all available evidence of the breach having regard for the information outlined in sections 3.2.1 and 3.2.2 above.
- Call upon the expertise of, or consult with, relevant staff in the particular circumstances.
- Engage an independent cyber security or forensic expert as appropriate.
- Assess whether serious harm is likely (with reference to section 3.2.2 above and section 26WG of the NDB Act).
- Make a recommendation to the Vice Principal (Community & Operations) whether this breach constitutes an NDB for the purpose of mandatory reporting to the OAIC and the practicality of notifying affected individuals.
- Consider developing a communication or media strategy including the timing, content and method of any announcements to students, staff or the media.
The Response Team must undertake its assessment within 48 hours of being convened.
The Vice Principal (Community & Operations) will provide periodic updates to the Executive Principal as deemed appropriate.
Having regard to the Response Team’s recommendation in 3.4 above, the Vice Principal (Community & Operations) will determine whether there are reasonable grounds to suspect that an NDB has occurred.
If there are reasonable grounds, the Vice Principal (Community & Operations) must prepare a prescribed statement and provide a copy to the OAIC as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach).
A template can be found at Appendix B.
If practicable, the College must also notify each individual to whom the relevant personal information relates. Where impracticable, the College must take reasonable steps to publicise the statement (including publishing on the website).
The prescribed statement will be logged by the General Manager.
3.6 Secondary Role of the Response Team
Once the matters referred to in 3.4 and 3.5 have been dealt with, the Response Team should turn attention to the following:
- Identify lessons learnt and remedial action that can be taken to reduce the likelihood of recurrence – this may involve a review of policies, processes, refresher training.
- Prepare a report for submission to the College Executive and the College Board.
- Consider the option of an audit to ensure necessary outcomes are affected and effective.
The Executive Principal has overall responsibility for the implementation of this policy.
This policy will be reviewed as part of the College’s three-year review cycle. Following every data breach incident, a review shall be conducted to assess whether the College’s data protection policies or procedures require modification to better protect the College’s data.
This policy is publically available and communicated to all staff and members of the College Board.
Acknowledgement goes to Northside Christian College for assisting in the development of this policy
Australian Catholic University. (2017, December). Data Breach Procedure & Response Plan. Retrieved from https://www.acu.edu.au/policy/governance/privacy_policy_and_procedure/pr... acy_breach_procedure.
Office of the Australian Information Commissioner. (2016, April). Guide to developing a data breach response plan. Retrieved from https://www.oaic.gov.au/agencies-and- organisations/guides/guide-to-developing-a-data-breach-response-plan.
Office of the Australian Information Commissioner. (2014, August). Data breach notification — A guide to handling personal information security breaches. Retrieved from https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-no... handling-personal-information-security-breaches.
Office of the Australian Information Commissioner. (2017, December). Notifiable Data Breaches scheme. Retrieved from https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches- scheme.
Contact for all matters related to privacy, including complaints about breaches of privacy, should be directed as follows:
T: 03 97909200
5 Burwood Highway, Wantirna VIC 3152