(1) In the event a privacy security breach occurs with regard to personal information held by Victoria University (University), the University will take appropriate steps in response to the breach of its privacy security. (2) For the purpose of this Procedure, a privacy security breach occurs if personal information held by the University is lost or subjected to unauthorised access, modification, disclosure or other misuse. (3) This Procedure applies to all University staff, students and agents. (4) Nil (5) Refer to Privacy Policy. (6) There is no single way the University will respond to a privacy security breach if one occurs, as privacy security breaches can be caused or exacerbated by a number of factors. Each breach will be dealt with by the University on a case-by-case basis, with the University undertaking an assessment of the risks involved, and using that risk assessment as the basis for deciding what actions to take in the circumstances. (7) As a guide, there are four key steps that the University will generally follow when responding to a privacy security breach or suspected privacy security breach: (8) If any person within the University discovers, suspects or is made aware of a privacy security breach, that person should escalate the matter immediately to the Director, ITS Security and Risk Assurance and/or the Privacy Compliance Officer so that the University can take necessary and practicable steps to address and contain the breach. (9) What steps are necessary to contain the privacy security breach will depend on the nature of the breach, but may include: (10) The Director, ITS Security and Risk Assurance will be responsible for co-ordinating the University’s response to the privacy security breach. (11) The University will assess the risks associated with the privacy security breach. In doing so, it may consider the following factors: (12) Some types of personal information are more likely to cause an individual harm if compromised (for example, an individual’s academic information, financial information, or health or other sensitive information), whether that harm is physical, financial or psychological. (13) What parties may have gained unauthorised access to the affected information? (14) Have there been other breaches that could have a cumulative effect? (15) How could the personal information be used? (16) Is there a risk of ongoing breaches or further exposure of the personal information? (17) Is there evidence of theft? (18) Is the personal information adequately encrypted, anonymised or otherwise not easily accessible? (19) What was the source of the breach? (20) Has the personal information been recovered? (21) What steps have already been taken to mitigate the harm? (22) How many individuals are affected by the breach? (23) Examples of the types of harm to individuals that could result from a privacy security breach include: (24) Other possible harms associated with a breach of privacy security, including to the University include: (25) The University will consider the particular circumstances of a privacy security breach and decide whether to notify affected individuals; and, if so consider: (26) Notification may be an important mitigation strategy following a privacy security breach, however, notification will not always be an appropriate response to a breach. Each incident will be considered on a case-by-case basis to determine whether breach notification is appropriate. (27) The key consideration the University will adopt is whether notification is necessary to avoid or mitigate serious harm to an affected individual. The University may consider the following factors when deciding whether notification is required: (28) If the University determines that notification is appropriate, the University will endeavour to notify affected individuals directly - by phone, letter, email or in person. The University will generally only adopt indirect notification methods, such as by website information, posted notices, media etc, where direct notification could cause further harm, is cost-prohibitive, or the contact information for affected individuals is not known. (29) If the University determines that notification is appropriate, the content of the notification will depend on the particular breach and the notification method. A notification may include the following types of information: (30) If the University determines that notification is appropriate, the University may also consider that there are third parties who should also be notified about the breach. Such third parties may include: (31) In addition to the above three steps, the University may take further steps to prevent future privacy security breaches, including: (32) NilPrivacy Security Breach Procedure
Section 1 - Summary
Section 2 - Accountability
Top of Page
Accountable / Responsible Officer
Role
Accountable Officer
Vice-President, Planning and Registrar
Responsible Officer
Privacy Compliance Officer
Section 3 - Scope
Section 4 - Definitions
Section 5 - Policy
Section 6 - Procedures
Part A - Summary of Roles and Responsibilities
Roles
Responsibilities
Director, ITS Security and Risk Assurance
Responsible for co-ordinating the University’s response to the privacy security breach.
Part B - Responding to Privacy Security Breaches: Four Key Steps
Step 1: Contain the Breach
Step 2: Evaluate the Risks Associated with the Breach
The type(s) of personal information involved
The context of the affected information and the breach
Establish the cause and extent of the breach
Assess the risk of harm to the affected individuals
Assess the risk of other harms
Step 3: Consider whether Notification is Appropriate and, if so, undertake a Notification Process
Deciding whether to notify affected individuals
Notification process
What will be included in the notification?
Who else should be notified?
Step 4: Prevent Future Breaches
Top of PageSection 7 - Guidelines
View Document
This is not a current document. To view the current version, click the 'Current Version' tab above.
Each of the above steps is addressed in further detail below.