Policy Personal Information Data Breach Procedure
Personal Information Data Breach Procedure
- Aboriginals and Torres Strait Islanders in Marine Science
- Courses
- Future Students
- Current Students
- Research and Teaching
- Partners and Community
- About JCU
- Reputation and Experience
- Celebrating 50 Years
- Academy
- Anthropological Laboratory for Tropical Audiovisual Research (ALTAR)
- Anton Breinl Research Centre
- Agriculture Technology and Adoption Centre (AgTAC)
- Living on Campus
- How to apply
- Advanced Analytical Centre
- Alumni
- AMHHEC
- JCU Aquaculture Solutions
- AusAsian Mental Health Research Group
- ARCSTA
- Area 61
- Association of Australian University Secretaries
- Australian Lions Stinger Research
- Australian Tropical Herbarium
- Australian Quantum & Classical Transport Physics Group
- Boating and Diving
- JCU-CSIRO Partnership
- Employability Edge
- Career Ready Plan
- Careers at JCU
- Careers and Employability
- Chancellery
- Centre for Tropical Bioinformatics and Molecular Biology
- CITBA
- CMT
- CASE
- College of Business, Law and Governance
- College of Healthcare Sciences
- College of Medicine and Dentistry
- College of Science and Engineering
- CPHMVS
- Centre for Disaster Solutions
- CSTFA
- Cyber Security Hub
- Cyclone Testing Station
- The Centre for Disaster Studies
- Daintree Rainforest Observatory
- Discover Nature at JCU
- Research Division
- Services and Resources Division
- Education Division
- Elite Athletes
- eResearch
- Environmental Research Complex [ERC]
- Estate
- Fletcherview
- Foundation for Australian Literary Studies
- Gender Equity Action and Research
- General Practice and Rural Medicine
- JC 'U' Orientation
- Give to JCU
- Governance
- Information for JCU Cairns Graduates
- Art of Academic Writing
- Art of Academic Editing
- Graduate Research School
- Graduation
- Indigenous Education and Research Centre
- Indigenous Engagement
- Indigenous Legal Needs Project
- Inherent Requirements
- IsoTropics Geochemistry Lab
- IT Services
- International Schools
- International Students
- Research and Innovation Services
- JCU Eduquarium
- JCU Events
- JCU Global Experience
- JCU Ideas Lab
- JCU Job Ready
- JCU Motorsports
- JCU Prizes
- JCU Sport
- JCU Turtle Health Research
- Language and Culture Research Centre
- CEE
- LearnJCU
- Library
- Mabo Decision: 30 years on
- MARF
- Marine Geophysics Laboratory
- New students
- Off-Campus Students
- Office of the Vice Chancellor and President
- Virtual Open Day
- Orpheus
- Outstanding Alumni
- Parents and Partners
- Pathways to university
- Planning for your future
- Placements
-
Policy
- Academic Governance
- Academic Management
- Engagement
-
Corporate Governance
- Academic Freedom and Freedom of Speech Policy
- Affiliation of a Residential College Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Business Continuity Policy
- Child Safety Policy
- Code of Conduct – University Council
- Compliance Policy
- Conduct of Council Elections Policy
- Conflicts of Interests Policy – University Council and its Committees
- Controlled and Non-Controlled Entities Policy
- Critical Incident Policy
- Data Governance Policy
- Distinguished Professor Policy
- Domestic and Family Violence Policy
- Emeritus Professor Policy
- Foreign Interference Policy
- General Practice Training Governance Policy
- Incident Management Policy
- Information Privacy Policy
- Legal Services Claims and Litigation Assistance Policy
- Organisational Structure Policy
- Records Management Policy
- Right to Information Policy
- Risk Management Policy
- Social Media Policy
- Staff Code of Conduct
- University Archives - Access
- University Seal Policy
- Visiting Speaker and Event Policy
- Policy Development and Review Policy
- Quality Enhancement Framework
- Reviews of Organisational Units and Thematic Areas - Policy and Procedures
-
Estate and Facility Management
- Advertising on Campus
- Alcohol Consumption on University Property
- Approval of Works to University Buildings and Site Infrastructure
- Authorised Use of University Facilities, Premises and/or Grounds for Non-core Purposes
- Environmental Policy
- High Voltage Access Policy
- Memorial Plaques
- Noise on University Sites
- Pets on Campus
- Real Estate Dealings Policy
- Security Policy
- Space Allocation and Management Policy
- Timetable and Class Registration Policy
- Tree Protection
- Vehicle Fleet Policy
- Weapons Policy
- Adaptive Workplace Policy
-
Financial Management
- Appendices
-
Assets (FMPM 200 - FMPM 399)
- FMPM 200 Overview - Assets & Cash Management
- FMPM 210 Cash
- FMPM 220 Policy - Bank Accounts
- FMPM 230 - Petty Cash Advances
- FMPM 300 Investments
- FMPM 320 Plant and Equipment
- Financial FMPM 322 - Acquisitions of Plant and Equipment
- FMPM 260 Other Advances
- FMPM 330 Non-Capital Assets
- FMPM 280 Official Stores
- FMPM 290 Prepayments
- FMPM 323 - Disposal of Property, Plant and Equipment Procedure
- FMPM 324 Stocktake
- FMPM 350 Intangible Assets
- FMPM 270-2 Accounts Receivable - Student Debtors - Penalties
- FMPM 240 Travel Advances (Students)
- FMPM 330 Non-Capital Assets
- FMPM 270-1 Accounts Receivable
- FMPM 250 - Policy Salary Advances
- Equity (FMPM 500 - FMPM 599)
- Expenses (FMPM 700 - FMPM799)
- Financial Management and Control (FMPM 800 - FMPM 899)
- Further Applications (FMPM 900 - FMPM 999)
- Introduction (FMPM 100 - FMPM 199)
- Liabilities (FMPM 400 - FMPM 499)
- Revenue (FMPM 600 - FMPM 699)
-
Human Resources
- Awards for Excellence Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Community and Indigenous Language Allowance
- Competency Pay for Tradespersons Policy
- Conflict of Interest Policy
- Early Retirement Policy
- Equal Employment Opportunity
- Honorary Appointments Policy
- Human Resources Policy Glossary
- Market Loading Policy
- Overpayment of Wages Policy
- Performance, Development and Recognition Policy
- Recruitment, Selection and Appointment Policy
- Relocation Assistance Policy
- Remote Working Policy
- Salary Packaging Program Policy
- Special Studies Program Policy
- Supported Wage System (SWS) Policy
- Mandatory Training Policy
- Digital Infrastructure
-
International and Admissions
- Attendance Monitoring Policy - English Language and Foundation Programs
- Enrolment Requirements for International Student Visa-Holders Policy
- Management of Off-Campus Operations, Ventures and Partnerships
- Transfer of International Student Visa Holders to Other Educational Institutions
- US Federal Student Aid-SAP & Return to Title IV Policy
- Admissions Policy
-
Learning and Teaching
- Blended Learning Policy
- Charter of Responsibilities for Academic Quality and Governance
- Coursework Academic Integrity Policy
- English Language and Numeracy Policy
- Graduate Attributes
- Graduate Certificate of Education (Academic Practice) Internal Sponsorship Policy
- Learning Teaching and Assessment Policy
- Policy Glossary
- Review of a Student’s Suitability to Continue a Course Involving Placement
- Student Digital Experience Policy
- Student Evaluation of Subjects and Teaching Policy
- Student Retention Policy
- Research Education
- Research Management
-
Student Matters
- Academic Progression Policy
- Administration of Commonwealth Scholarships Policy
- Attendance Monitoring Policy - English Language and Foundation Programs
- Award Finalisation and Graduation Policy
- Bullying, Discrimination, Harassment, and Sexual Misconduct Policy
- Copyright Policy and Procedure
- Coursework Enrolment Policy
- Coursework Scholarships, Grants and Prizes Policy
- Library Use Policy
- Student Code of Conduct
- Student Complaints Policy
- Student Disability Policy
- Student Fee Payments and Refunds Policy
- Student Review and Appeals Policy (effective from 01/01/2023)
- Student Special Circumstances Policy
- Transfer of International Student Visa Holders to Other Educational Institutions
- Student Results Policy
- Work Health and Safety
- Policy search
- PAHL
- Publications
- Professional Experience Placement
- Queensland Research Centre for Peripheral Vascular Disease
- Rapid Assessment Unit
- RDIM
- Researcher Development Portal
- Safety and Wellbeing
- Scholarships
- Contextual Science for Tropical Coastal Ecosystems
- Staff
- State of the Tropics
- Strategic Procurement
- Student Equity and Wellbeing
- Student profiles
- SWIRLnet
- TARL
- TESS
- TREAD
- TropEco for Staff and Students
- TQ Maths Hub
- TUDLab
- Unicare Centre and Unicampus Kids
- UAV
- VAVS Home
- Work Health and Safety
- WHOCC for Vector-borne & NTDs
- Media
- Copyright and Terms of Use
- Australian Institute of Tropical Health & Medicine
- Clinical Psychedelic Research Lab
Intent
The University is committed to protecting personal privacy and recognises that staff and students have a reasonable expectation that the University will protect and appropriately manage the personal information it holds about them.
This Procedure outlines the actions to be undertaken on a data breach and, where considered an eligible data breach under the National Data Breach Scheme, notify individuals and the Australian Information Commissioner of the breach.
Scope
This procedure governs suspected data breaches and applies to all University staff, affiliates, students, contractors and any other third party who collects or manages personal information on behalf of the University.
Definitions
Except as otherwise specified in this procedure, the meaning of terms used in this policy are as per the Policy Glossary and the governing Information Privacy Policy.
Eligible data Breach | The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), also referred to as the Notifiable Data Breaches (NDB) Scheme amends the Privacy Act 1988 (Cth) (the Commonwealth Privacy Act), and in the instances where the NDB Scheme applies to JCU, there is a mandatory requirement for JCU to notify the Commonwealth Privacy Commissioner and affected individuals of ‘eligible data breaches’. An eligible data breach occurs if:
|
Harm | Data breaches can cause significant harm in multiple ways. Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation. Examples of harm include:
|
Loss of data | Loss refers to the accidental or inadvertent loss of personal information held by the University, in circumstances where is it is likely to result in unauthorised access or disclosure. For example, where a staff member leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport. |
Unauthorised access | Unauthorised access of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party (such as by hacking). For example, a staff member browses a student academic or personal record without any legitimate purpose. |
Unauthorised disclosure | Unauthorised disclosure occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee of the entity. For example, as staff member accidentally publishes a confidential data file containing the personal information of one or more individuals on the internet. |
Procedure
- Suspected data or privacy breach
- Access to personal information is granted to staff only where this is necessary for work purposes and staff must only access personal information if there is a work related reason for this. Personal information must be protected against loss, unauthorised access or modification, disclosure or misuse.
- A suspected data breach is considered to be any event which may have involved Unauthorised Access, Unauthorised Disclosure or Loss of Data involving personal.
- Reporting a suspected data breach
- If a staff member becomes aware of a suspected data breach, they are to contact the Information Privacy Officer as soon as possible with as much information as is available via:
Deputy University Secretary and Privacy Officer
Secretariat
James Cook University
Townsville, QLD 4811Via email: secretariat@jcu.edu.au
- The information to be provided includes:
- the time and date the suspected data breach was discovered,
- the type of personal information involved,
- the cause and extent of the breach,
- the context of the affected information and the breach, and
- the actions undertaken to contain the breach (see clause 5).
- JCU only has thirty (30) days from becoming aware of the breach, to carry out a reasonable and expeditious assessment as to whether there are reasonable grounds to believe that the data breach has been an eligible data breach.
- If a staff member becomes aware of a suspected data breach, they are to contact the Information Privacy Officer as soon as possible with as much information as is available via:
- Notification requirements of eligible data breaches
- An eligible data breach arises when the following three criteria are satisfied:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that JCU holds;
- this is likely to result in serious harm to one or more individuals; and
- the University has not been able to prevent the likely risk of serious harm with remedial action.
- Whether a data breach is likely to result in serious harm requires an objective assessment by the Information Privacy Officer based on information immediately available or following reasonable inquiries or an assessment of the data breach. The potential kinds of harms that may follow a data breach include:
- identity theft,
- significant financial loss by the individual,
- threats to an individual’s physical safety,
- loss of business or employment opportunities,
- humiliation, damage to reputation or relationships, and/or
- workplace or social bullying or marginalisation.
- The likelihood of a particular harm occurring, as well as the anticipated consequences for individuals whose personal information is involved in the data breach if the harm materialises, are relevant considerations.
- If JCU acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Australian Information Commissioner. There are also exceptions to notifying in certain circumstances.
- If personal information is lost in circumstances where subsequent unauthorised access to or disclosure of the information is unlikely, there is no eligible data breach. For example, if the personal information is remotely deleted before an unauthorised person could access the information, or if the information is encrypted to a high standard making unauthorised access or disclosure unlikely, then there is no eligible data breach.
- An eligible data breach arises when the following three criteria are satisfied:
- Once a breach is declared eligible
- If a data breach is declared eligible by the Information Privacy Officer, the Chief of Staff as the University’s Critical Incident Coordinator is to be notified.
- The University is required to prepare a statement and provide a copy to the Office of the Australian Information Commissioner (OAIC). The OAIC’s online form is to be used for this process. The form includes the name and contact details of the University, a description of the Eligible Data Breach, the kind or kinds of information involved, and what steps the University recommends to individuals at risk of serious harm, in response to the eligible data breach.
- Data Breach Response Plan
- The University’s Data Breach Response Plan comprises four steps (consistent with the OAIC guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)):
- Step 1: Contain the data breach to prevent any further compromise of personal information.
- Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
- Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for JCU to notify.
- Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
- How did the data breach occur?
- Is the personal information still being shared, disclosed, or lost without authorisation?
- Who has access to the personal information?
- What can be done to secure the information , or stop the unauthorised access or disclosure, and reduce the risk of harm to affected individuals?
- the type or types of personal information involved in the data breach;
- the circumstances of the data breach, including its cause and extent; and
- the nature of the harm to affected individuals, and if this harm can be removed through remedial action.
- what information is provided in the notification and how this will be provided;
- who is responsible for notifying individuals and creating the notification;
- who else other than affected individuals (and the Commissioner if the notification obligations of the NDB scheme apply) should be notified;
- where a law enforcement agency is investigating the breach, it may be appropriate to consult the investigating agency before making details of the breach public; and
- whether the incident triggers reporting obligations to other entities (eg TEQSA or the Australian Taxation Office).
- Option 1 – Notify all individuals whose personal information was part of the eligible data breach and would be used when JCU cannot reasonably assess which particular individuals are at risk of serious harm from an eligible data breach that involves personal information about many people, but serious harm is likely for one or more of the individuals.
- Option 2 — Notify only those individuals at risk of serious harm.
- Option 3 — Publish notification If neither option 1 or 2 above are practicable, for example, if the entity does not have up-to-date contact details for individuals, this may include providing a copy of the statement on the website and take reasonable steps to publicise the statement.
- a security review including a root cause analysis of the data breach;
- a prevention plan to prevent similar incidents in future;
- audits to ensure the prevention plan is implemented;
- a review of policies and procedures and changes to reflect the lessons learned from the review;
- changes to staff selection and training practices; and
- a review of service delivery partners that were involved in the breach.
Step 1 - Contain
Once a data breach is suspected immediate action must be taken to limit the breach. For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, then revoke or change computer access privileges or address weaknesses in physical or electronic security.
To identify strategies to contain a data breach consider:
Notify the Information Privacy Officer
During this preliminary stage, be careful not to destroy evidence that may be valuable in identifying the cause of the breach, or that would enable the entity to address all risks posed to affected individuals or the entity.
Step 2 - Assess
An assessment of the data breach will identify the risks posed by a data breach and how these risks can be addressed and must be conducted as expeditiously as possible by the Information Privacy Officer based on the information available and in consultation with the Director Information and Communication Technology and Head of Organisational Unit. The aim is to understand the risk of harm to affected individuals, and identify and take all appropriate steps to limit the impact of a data breach. Considerations in this assessment include:
Remedial action to reduce any potential harm to individuals should be taken (such as recovering lost information before it is accessed). This might also take place during Step 1: Contain.
The Information Privacy Officer is to determine whether the data breach is an eligible breach under the NDB scheme. This assessment is to occur within 30 days and determined in accordance with the criteria for assessing a data breach, including the risk of harm and remedial action at sect 3.
If it is an Eligible Data Breach, the Chief of Staff will convene the Notifiable Data Breach Response Team (see appendix 2 for composition) for steps 3 and 4.
Step 3 - Notify
Notification to affected individuals may be considered for data breaches but must be undertaken for eligible data breaches under the NDB Scheme. Notification can be an important mitigation strategy that has the potential to benefit both JCU and the individuals affected by a data breach. However, notifying individuals can cause undue stress or harm. For example, notifying individuals about a data breach that poses very little or no risk of harm can cause unnecessary anxiety. It can also de-sensitise individuals so that they don’t take a notification seriously, even when there is a real risk of serious harm. Each incident needs to be considered on a case-by-case basis to determine whether breach notification is required.
In considering to notify individuals who may be impacted by a data breach the following should be considered:
Effective data breach response is about reducing or removing harm to affected individuals, while protecting the interests of the University. Notification has the practical benefit of providing individuals with the opportunity to take steps to protect their personal information following a data breach, such as by changing account passwords or being alert to possible scams resulting from the breach. Individuals who have been affected by a data breach must be dealt with sensitivity and compassion, in order not to exacerbate or cause further harm. Notification may also serve to demonstrate that privacy protection is taken seriously.
The decision to notify will be made by the Chief of Staff in consultation with the Notifiable Data Breach Response Team as necessary.
If it is an eligible data breach, notification options include:
Step 4 - Review
A Lessons Learned Report will be completed on an eligible data breach incident to improve personal information handling practices. This might involve:
The intent of the Lessons Learned Report is to strengthen the JCU’s personal information security and handling practices, and to reduce the chance of reoccurrence. A data breach should be considered alongside any similar breaches that have occurred in the past, which could indicate a systemic issue with policies or procedures.
If any updates are made following a review, staff will be notified in any changes to relevant policies and procedures to ensure a quick response to a data breach.
- The University’s Data Breach Response Plan comprises four steps (consistent with the OAIC guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)):
Related policy instruments
Requests for Access to Personal Information Procedure
Digital Technologies Acceptable Use Policy
Schedules/Appendices
Appendices:
- Data Breach Preparation and Response – Action Plan
- Responsible Officers for Data Breach Notifications
Related documents and legislation
JCU’s Information Privacy Statement and Collection Notice
Privacy and Right to Information Guidelines
Fact Sheet Privacy and Right to Information
Information Privacy Act (Qld) 2009
Right to Information Act (Qld) 2009
Administration
Approval Details
Policy Domain | Corporate Governance |
Policy Custodian | Vice Chancellor |
Approval Authority | Council |
Date for next Major Review | 22/05/2023 |
Revision History
Version | Approval date | Implementation date | Details | Author |
18-1 | 22/05/2018 | 22/05/2018 | Procedure established | Chief of Staff |
Keywords | Information, privacy, personal information, data breach |