View Document

Privacy Security Breach Procedure

This is the current version of this document. To view historic versions, click on the 'Historic Versions' tab above.

Section 1 - Summary

(1) In the event a privacy security breach occurs with regard to personal information held by Victoria University (University), the University will take appropriate steps in response.

(2) For the purpose of this Procedure, a privacy security breach occurs if personal information held by the University is lost or subjected to unauthorised access, modification, disclosure or other misuses.

Top of Page

Section 2 - HESF/ASQA/ESOS Alignment

(3) HESF: Standard 7.3 Information Management.

(4) Standards for Registered Training Organisations (RTOs) 2015: Standard 8.

Top of Page

Section 3 - Scope

(5) This Procedure applies to all University staff, students, agents, contractors and individuals with whom the University interacts.

Top of Page

Section 4 - Definitions

(6) NDB Scheme means the Notifiable Data Breaches Scheme as defined in the Privacy Act 1988(Cth).

(7) Eligible Data Breach under the NDB Scheme: is a breach that is deemed to be an eligible data breach according to the following:

  1. There is unauthorised access or disclosure or loss of Tax File Number Information (TFN information);
  2. A reasonable person would conclude that the access, disclosure or loss would likely result in serious harm to any of the affected individuals; and,
  3. The University has not been able to prevent the likely risk of serious harm occurring after remedial action is taken.
Top of Page

Section 5 - Policy/Regulation

(8) Privacy Policy.

Top of Page

Section 6 - Procedures

Part A - Summary of Roles and Responsibilities

Roles

Responsibilities
Associate Director of Cyber Security Responsible for co-ordinating the University’s response to the privacy security breach.

Part B - Responding to Privacy Security Breaches: Four Key Steps

(9) There is no single way the University will respond to a privacy security breach, as privacy security breaches can be caused or exacerbated by a number of factors.  Each breach will be dealt with by the University on a case-by-case basis, with the University undertaking an assessment of the risks involved and using that risk assessment as the basis for deciding what actions to take in the circumstances.

(10) As a guide, there are four key steps that the University will generally follow when responding to a privacy security breach or suspected privacy security breach:

  1. Step 1: Contain the breach
  2. Step 2: Evaluate the risks associated with the breach
  3. Step 3: Consider whether notification is appropriate and if so, undertake a notification process
  4. Step 4: Prevent future breaches
Each of the above steps is addressed in further detail below.

Step 1: Contain the Breach

(11) If any person within the University discovers, suspects or is made aware of a privacy security breach, that person should escalate the matter immediately to the Director, ITS Security and Risk Assurance and/or the Privacy Officer so that the University can take necessary and practicable steps to address and contain the breach.

(12) What steps are necessary to contain the privacy security breach will depend on the nature of the breach but may include:

  1. recovery of any records containing personal information;
  2. shutting down any electronic system that has been interfered with;
  3. revoking or changing access privileges; and/or
  4. addressing weaknesses in physical or electronic security. 

(13) The Director, ITS Security and Risk Assurance will be responsible for co-ordinating the University’s response to the privacy security breach.

Step 2: Evaluate the Risks Associated with the Breach

(14) The University will assess the risks associated with the privacy security breach.  

(15) In doing so, it may consider the following factors:

The type(s) of personal information involved

(16) Some types of personal information are more likely to cause individual harm if compromised (for example, an individual’s academic information, financial information, or health or other sensitive information), whether that harm is physical, financial or psychological.

The context of the affected information and the breach

(17) What parties may have gained unauthorised access to the affected information?

  1. Did the breach involve disclosure to a party where there is a potential risk of misuse (eg. an unknown party), or to a trusted, known entity or person that would reasonably be expected to return or destroy the information without disclosing or using it?

(18) Have there been other breaches that could have a cumulative effect?

  1. A number of small, seemingly insignificant, breaches may have a cumulative effect. Separate breaches that might not, by themselves, be assessed as representing a real risk of serious harm to an affected individual, may meet this threshold when the cumulative effect of the breaches is considered.

(19) How could the personal information be used?

  1. Could the information be used for fraudulent or otherwise harmful purposes, such as to cause financial loss to the affected individual or to cause significant embarrassment to the affected individual?  Could the compromised information be easily combined either with other compromised information or with publicly available information to create a greater risk of harm to the individual?

Establish the cause and extent of the breach

(20) Is there a risk of ongoing breaches or further exposure of the personal information?

  1. What was the extent of the unauthorised access to or collection, use or disclosure of personal information, including the number and nature of likely recipients and the risk of further access, use or disclosure, including via mass media or online?

(21) Is there evidence of theft?

  1. Is there evidence that suggests theft, and was the personal information the target? For example, where a laptop is stolen, can it be determined whether the thief specifically wanted the information on the laptop?

(22) Is the personal information adequately encrypted, anonymised or otherwise not easily accessible?

  1. Is the information rendered unreadable by security measures that protect the stored personal information? Is the personal information displayed or stored in such a way so that it cannot be used if breached?

(23) What was the source of the breach?

  1. For example, did it involve external or internal malicious behaviour, or was it an internal processing error? Does personal information seem to have been lost or misplaced? The risk of harm to the individual may be less where the breach is unintentional or accidental, rather than intentional or malicious.

(24) Has the personal information been recovered?

  1. For example, has a lost laptop been found or returned? If the personal information has been recovered, are there any signs that it has been accessed, copied or otherwise tampered with?

(25) What steps have already been taken to mitigate the harm?

  1. Has the University adequately and effectively contained the breach? Have compromised security measures such as passwords been replaced? Has the full extent of the breach been assessed? Are further steps required?

(26) How many individuals are affected by the breach?

  1. If the breach is a result of a systemic problem, there may be more people affected than first anticipated.  Even where the breach involves accidental and unintentional misuse of information, if the breach affects many individuals, the scale of the breach may create greater risks that the information will be misused.  The University’s response to the breach will be proportionate to the scale.

Assess the risk of harm to the affected individuals

(27) Examples of the types of harm to individuals that could result from a privacy security breach include:

  1. identity theft;
  2. financial loss;
  3. the threat to physical safety;
  4. the threat to emotional wellbeing;
  5. loss of academic, business or employment opportunities; and/or
  6. humiliation, damage to reputation or relationships.

Assess the risk of other harms

(28) Other possible harms associated with a breach of privacy security, including to the University include:

  1. the loss of public trust in the University;
  2. reputational damage;
  3. loss of assets (eg. stolen computers or storage devices);
  4. financial exposure (eg. if bank account details are compromised or if financial compensation is paid by the University); and/or
  5. legal proceedings (eg. formal complaint).

NDB Scheme

(29) If the University suspects an eligible data breach has occurred, the University must make an assessment of the suspected eligible data breach under step 2 of this procedure with 30 days.

(30) The University should take any remedial action during the assessment period that is appropriate given the circumstances of the suspected eligible data breach.

Step 3: Consider whether Notification is Appropriate and, if so, undertake a Notification Process

(31) The University will consider the particular circumstances of a privacy security breach and decide whether to notify affected individuals; and, if so consider:

  1. when and how the notification should occur, who should make the notification, and who should be notified;
  2. what information should be included in the notification; and
  3. who else (other than the affected individuals) should be notified.

(32) Notification may be an important mitigation strategy following a privacy security breach, however, the notification will not always be an appropriate response to a breach.  Each incident will be considered on a case-by-case basis to determine whether breach notification is appropriate.

Deciding whether to notify affected individuals

(33) The key consideration the University will adopt is whether notification is necessary to avoid or mitigate serious harm to an affected individual.  The University may consider the following factors when deciding whether notification is required:

  1. What is the risk of serious harm to the individual as determined by Step 2?
  2. What is the ability of the individual to avoid or mitigate possible harm if notified of a breach (in addition to steps taken by the University)?
  3. Even if the individual would not be able to take steps to improve the situation, is the information that has been compromised sensitive, or likely to cause financial damage or humiliation or embarrassment for the individual?

Notification process

(34) If the University determines that notification is appropriate, the University will endeavour to notify affected individuals directly - by phone, letter, email or in person.  The University will generally only adopt indirect notification methods, such as by website information, posted notices, media etc, where direct notification could cause further harm, is cost-prohibitive, or the contact information for affected individuals is not known.

What will be included in the notification?

(35) If the University determines that notification is appropriate, the content of the notification will depend on the particular breach and the notification method.  Notification may include the following types of information:

  1. incident description;
  2. type(s) of personal information involved;
  3. the response is taken by the University to the breach to control or reduce the harm, and proposed future steps that are planned;
  4. assistance offered to affected individuals and steps the individual can take to avoid or reduce the risk of harm or to further protect themselves;
  5. other information sources designed to assist individuals in protecting against identity theft or interferences with privacy; and/or
  6. contact information for persons that can answer questions, provide further information or address specific privacy concerns.

Who else should be notified?

(36) If the University determines that notification is appropriate, the University may also consider that there are third parties who should also be notified about the breach.  Such third parties may include:

  1. Victorian Information Commissioner (Commissioner): In some circumstances, it may be appropriate to notify the Commissioner.  The University may consider the following factors when deciding whether to report a breach to the Commissioner:
    1. any applicable legislation that may require notification;
    2. the type(s) of personal information involved and whether there is a real risk of serious harm arising from the breach, including monetary and non-monetary losses;
    3. whether a large number of people were affected by the breach;
    4. whether the information was fully recovered without further disclosure;
    5. whether the affected individuals have been notified; and/or
    6. if there is a reasonable expectation that the Commissioner may receive complaints or inquiries about the breach.
  2. Office of the Australian Information Commissioner (OAIC): Where the University forms the opinion that an eligible data breach has occurred the University is required to notify the OAIC and affected individuals.
  3. Police: If theft or other crime is suspected.
  4. Insurers or others: If required by contractual obligations.
  5. Professional or other regulatory bodies: If professional or regulatory standards require the University to notify such a breach.

Step 4: Prevent Future Breaches

(37) In addition to the above three steps, the University may take further steps to prevent future privacy security breaches,including:

  1. undertaking a privacy security audit to ensure a similar breach does not occur again;
  2. making appropriate changes to any relevant protocols or work practices; and/or
  3. reviewing and, if necessary, revising staff training practices.