RATIONALE The purpose of this policy is to provide guidance for responding to a breach of Camberwell Grammar School (School) held data. Effective data breach management, including notification where warranted, assists the School in avoiding or reducing possible harm to both the affected individuals/organisations and the School, and may prevent future breaches. This policy applies to all and anyone who has access to School data.
BODY OF POLICY 2.1.
Serious harm can be emotional, psychological, physical, reputational, or other forms of harm.
Person/s responsible for managing the data, e.g. ICT Department for all electronic records, Student Records for hard copy student files, etc.
Personal or confidential
Includes (but is not limited to) credit card details, student and staff personal data including medical information, School financial data, exam material, exam results, ICT system security information.
What is a data breach? An eligible data breach occurs when three criteria are met: •
There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that the School holds;
It is likely to result in serious harm to one or more individuals; and,
The School has not been able to prevent the likely risk of serious harm with remedial action.
A data breach occurs when there is a failure that has caused or has the potential to cause unauthorised access to School data, such as:
Accidental loss or theft of personal or confidential data or equipment on which such data is stored (e.g. loss of paper record, laptop, iPad or USB stick)
Unauthorised use, access to or modification of data or information systems (e.g. sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to data or information systems)
Unauthorised disclosure of personal or confidential information (e.g. email sent to an incorrect recipient or document posted to an incorrect address or addressee), or personal information posted onto a website without consent
Compromised user account (e.g. accidental disclosure of user login details through phishing)
Responding to a data breach The Heads of School, Business Manager and Data Custodian (e.g. ICT Department for online data) must be informed of any data breach to ensure the application of this policy. There are four key steps required in responding to a data breach:
Document Owner: Version: Title: Reference Number:
Risk and Compliance Manager 1 Data Breach SCO-POL-001
Original Issue: Approval Date: Review Date: Page:
February 2018 February 2018 February 2021 1 of 2
1. Contain the breach. 2. Conduct an assessment and take remedial action. 3. Consider breach notification. 4. Review the incident. The first three steps should be carried out concurrently where possible. The last step provides recommendations for longer-term solutions and prevention strategies. Maintain personal information security The School and employees must take reasonable steps to protect personal information they hold. Suspected or known data breach occurs Notify Heads of School, Business Manager and Data Custodian (e.g. ICT Department for online data) Complete Part A of a Data Breach Incident Form and submit to Data Custodian Contain Data Custodian takes immediate steps to contain the possible data breach and complete Part B of the Data Breach Incident Form.
Take remedial action
Consider whether the breach is likely to result in serious harm for any of the individuals whose information is involved.
Where possible, steps need to be taken to reduce the likelihood of harm to affected individuals caused by the breach. This could involve recovering the information before it is accessed, changing access controls, repository requirements or security measures.
If there is reasonable grounds to believe there is an eligible breach and there is still risk of serious harm post remedial action implementation, proceed to notification. If there is only reasonable grounds to suspect an eligible breach, an assessment must be conducted of whether there is a notifiable breach, within 30 days.
Is serious harm still likely?
If remedial action is successful in making serious harm no longer likely, then notification is not required, and the School can proceed directly to the Review stage.
Notify Where serious harm to affected individuals is likely, the School must notify those individuals and the Australian Information Commissioner. The notification must contain the Schoolâ€™s contact details, a description of the breach, the kind/s of information concerned, and recommended steps for individuals. It may contain other information. If practicable, notify those individuals at likely risk of serious harm directly. If it is not practicable to notify directly, the School can publish a statement on its website, and take steps to draw it to the attention of the relevant individuals. Review Consider how the breach occurred and whether to enhance relevant personal information security measures
RELATED DOCUMENTS SCO-MNL-001_Privacy and Data Breach Manual SCO-FRM-001_Data Breach Incident Form SCO-POL-002_Privacy
RELEVANT LEGISLATION Privacy Act 1988 (Privacy Amendment (Notifiable Data Breaches) Act 2017)
Approver Authoriser Document Owner: Version: Title: Reference Number:
Staff Executive Committee Council Risk and Compliance Manager 1 Data Breach SCO-POL-001
Original Issue: Approval Date: Review Date: Page:
February 2018 February 2018 February 2021 2 of 2