Data Breach Policy

Page 1

1. RATIONALE

The purpose of this policy is to provide guidance for responding to a breach of Camberwell Grammar School (School) held data.

Effective data breach management, including notification where warranted, assists the School in avoiding or reducing possible harm to both the affected individuals/organisations and the School, and may prevent future breaches

This policy applies to all and anyone who has access to School data.

2. BODY OF POLICY

2.1. Definitions

Word/s

Serious Harm

Definition

Serious harm can be emotional, psychological, physical, reputational, or other forms of harm.

Data Custodian Person/s responsible for managing the data, e.g. ICT Department for all electronic records, Student Records for hard copy student files, etc.

Personal or confidential

2.2. What is a data breach?

Includes (but is not limited to) credit card details, student and staff personal data including medical information, School financial data, exam material, exam results, ICT system security information.

An eligible data breach occurs when three criteria are met:

• There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that the School holds;

• It is likely to result in serious harm to one or more individuals; and,

• The School has not been able to prevent the likely risk of serious harm with remedial action.

A data breach occurs when there is a failure that has caused or has the potential to cause unauthorised access to School data, such as:

• Accidental loss or theft of personal or confidential data or equipment on which such data is stored (e.g. loss of paper record, laptop, iPad or USB stick)

• Unauthorised use, access to or modification of data or information systems (e.g. sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to data or information systems)

• Unauthorised disclosure of personal or confidential information (e.g. email sent to an incorrect recipient or document posted to an incorrect address or addressee), or personal information posted onto a website without consent

• Compromised user account (e.g. accidental disclosure of user login details through phishing)

• Malware infection

2.3. Responding to a data breach

The Heads of School, Business Manager and Data Custodian (e.g. ICT Department for online data) must be informed of any data breach to ensure the application of this policy.

There are four key steps required in responding to a data breach:

DATA BREACH POLICY

1. Contain the breach.

2. Conduct an assessment and take remedial action.

3. Consider breach notification

4. Review the incident.

The first three steps should be carried out concurrently where possible. The last step provides recommendations for longer-term solutions and prevention strategies

The School and employees must take reasonable steps to protect personal information they hold.

Data Custodian takes immediate steps to contain the possible data breach and complete Part B of the Data Breach Incident Form.

Consider whether the breach is likely to result in serious harm for any of the individuals whose information is involved.

If there is reasonable grounds to believe there is an eligible breach and there is still risk of serious harm post remedial action implementation, proceed to notification.

If there is only reasonable grounds to suspect an eligible breach, an assessment must be conducted of whether there is a notifiable breach, within 30 days.

Is serious harm still likely?

Where possible, steps need to be taken to reduce the likelihood of harm to affected individuals caused by the breach. This could involve recovering the information before it is accessed, changing access controls, repository requirements or security measures.

If remedial action is successful in making serious harm no longer likely, then notification is not required, and the School can proceed directly to the Review stage.

Where serious harm to affected individuals is likely, the School must notify those individuals and the Australian Information Commissioner. The notification must contain the School’s contact details, a description of the breach, the kind/s of information concerned, and recommended steps for individuals. It may contain other information.

If practicable, notify those individuals at likely risk of serious harm directly. If it is not practicable to notify directly, the School can publish a statement on its website, and take steps to draw it to the attention of the relevant individuals.

Review

Consider how the breach occurred and whether to enhance relevant personal information security measures

3. RELATED DOCUMENTS

SCO-MNL-001_Privacy and Data Breach Manual

SCO-FRM-001_Data Breach Incident Form

SCO-POL-002_Privacy

4. RELEVANT LEGISLATION

Privacy Act 1988 (Privacy Amendment (Notifiable Data Breaches) Act 2017)

Approver Staff Executive Committee Authoriser Council

Contain
personal information security
known data breach occurs Notify Heads of School, Business Manager and Data Custodian (e.g. ICT Department for online data) Complete Part A of a Data Breach Incident Form and submit to Data Custodian Assess Take remedial action
Maintain
Suspected or
Notify
No Yes
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.