VAP Data Protection Breach Management Policy
This document sets out the processes to be followed by VAP staff in the event that VAP experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act) established a Notifiable Data Breaches (NDB) scheme requiring organisations covered by the Act to notify any individuals likely to be at risk of serious harm by a data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Accordingly, VAP needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm and whether it constitutes an NDB.
Adherence to this procedure and response plan will ensure that VAP can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.
VA Platinum Pty Ltd is legally required under the Australian Privacy Protection Act 1988 to ensure the security and confidentiality of the information/data it processes on behalf of its clients and employees.
Information/data is one of our most important assets and each one of us has a responsibility to ensure the security of this information. Accurate, timely, relevant and properly protected information/data is essential to the successful operation of the VAP in the provision of services to our clients.
Sometimes a breach of information/data security may occur because this information/data is accidentally disclosed to unauthorised persons, or lost due to a fire or flood, or stolen as result of a targeted attack, or the theft of a computer, mobile or electronic device.
The purpose of this policy is to ensure that an international standardised management approach is implemented throughout the organisation in the event of an information/data breach.
This policy is mandatory and by accessing any of the VAP’s Information/data, users are agreeing to abide by the terms of this policy.
This policy represents the VAP national position and takes precedence over all other relevant policies which may have been developed at a local level. The policy applies to all VAP employees, service providers, contractors and third parties who access, use, store or process information on behalf of the VAP. This policy is authorised by the management of VAP.
The objective of this Policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.
VAP has an obligation to abide by all relevant Australian legislation. The relevant acts, which apply in Australian law to Information Systems, include but are not limited to:
- Privacy Amendment (Notifiable Data Breaches) Act 2017.
- Australian Privacy Act 1988(Privacy Act) from 22 February 2018.
4.0 Definition/Types of Breach
For the purpose of this Policy, data security breaches include both confirmed and suspected incidents.
An incident in the context of this Policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately and has caused or has the potential to cause damage to VAP assets and/or reputation.
An incident includes but is not restricted to, the following:
- Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record)
- Equipment theft or failure
- Unauthorised use of, access to or modification of data or information systems
- Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
- Unauthorised disclosure of sensitive / confidential data
- Website defacement
- Hacking attack
- Unforeseen circumstances such as a fire or flood
- Human error
- ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it
In the event that an information/data breach happens, the following breach management plan is strictly adhered to.
There are five elements to any breach management plan:
- Identification and Classification
- Containment and Recovery
- Risk Assessment
- Notification of Breach
- Evaluation and Response
6.0 Breach Management Plan
6.1 Identification and Classification
Any individual who accesses, uses or manages information is responsible for reporting data breach and information security incidents immediately to the Data Protection Officer (DPO) – Brian Jones firstname.lastname@example.org and Operations Manager (OM) – Ed Arguelles email@example.com.
What does the Operations Manager do?
The Operation Manager will determine whether a data breach has or may have occurred.
The Operations Manager will complete an Assessment within five (5) business days of being notified of the breach regardless of whether it is a data breach, suspected data breach or eligible data breach.
The Assessment should include a full report of the breach or suspected breach, with recommendations to resolve the issue and ensure that it doesn’t happen in the future.
The Operations Manager should have regard to:
- whether multiple individuals were or could be affected by the breach (or suspected breach);
- whether there is a real risk of serious harm to the affected persons;
- whether the breach or suspected breach indicates a systemic problem in VAP processes or procedures; and
- whether could there be media or stakeholder attention as a result of the breach or suspected breach.
If it is a minor breach or suspected breach, the Operations Manager should make a report that records the breach or suspected breach, notes the action they took to address it, the outcome of the action and whether further action is required.
If the breach involves another entity, the Operations Manager should attempt to speak with that entity’s data breach response team or representative.
If the Operations Manager decides that it is an eligible data breach, the Compliance Manager will notify the DPO.
If the Operations Manager is uncertain as to whether or not an eligible data breach has occurred the Operations Manager should consult with the DPO.
What does the DPO do?
The director is the person to whom the Operations Manager reports definite and suspected eligible data breaches.
The Operations Manager’s Assessment, escalation to the director and the DPO’s decision as to whether or not to obtain legal advice must be completed within 30 days of VAP first becoming aware of the breach.
If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.
The Operations Manager must put in place procedures that will allow any staff member to report any information/data security breach.
- It is important that all staff are aware to whom they should report such a breach.
- Having such a procedure in place will allow for early recognition of the breach so that it can be dealt with in the most appropriate manner.
- Details of the breach should be recorded accurately, including the date and time the breach occurred, the date and time it was detected, who/what reported the breach, description of the breach, details of any systems involved, corroborating material such as error messages, log files, etc.
- In this respect, staff need to be made fully aware as to what constitutes a breach. In respect of this policy a breach may be defined as the unintentional release of VAP or client confidential or personal information/data to unauthorized persons, either through the accidental disclosure, loss or theft of the information/data.
Criteria for determining severity:
- The type and extent of personal information involved;
- Whether multiple individuals have been affected;
- Whether the information is protected by any security measures (password protection or encryption);
- The person or kinds of people who now have access;
- Whether there is (or could there be) a real risk of serious harm to the affected individuals; and
- Whether there could be media or stakeholder attention as a result of the breach or suspect breach.
6.2 Containment and Recovery
The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.
An initial assessment will be made by the DPO in liaison with relevant officers to establish the severity of the breach and who will take the lead investigating the breach.
Containment involves limiting the scope and impact of the breach of data/information.
If a breach occurs, the Operations Manager should:
- Decide on who would take the lead in investigating the breach and ensure that the appropriate resources are made available for the investigation.
- Establish who in the organisation needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. For example, this might entail isolating a compromised section of the network, finding a lost file or piece of equipment, or simply changing passwords or codes to server rooms, etc.
- Establish whether there is anything that can be done to recover losses and limit the damage the breach can cause.
6.3 Risk Assessment
An investigation will be undertaken by the Operations Manager immediately and wherever possible within 24 hours of the breach being discovered / reported.
In assessing the risk arising from the security breach, the Operations Manager should consider what would be the potential adverse consequences for individuals, i.e. how likely it is that adverse consequences will materialise and, in the event of materialising, how serious or substantial are they likely to be.
The following points should be considered:
- What type of Information/data is involved?
- How sensitive is the information/data?
- Are there any security mechanism or protection in place (e.g. password, protected, encryption)?
- What could the information/data tell a third party about the individual?
- What happened to the data? Has it been lost or stolen?
- Whether the data could be put to any illegal or inappropriate use
- How many individuals are affected by the breach?
6.4 Notification of Breaches
The OM and DPO, in consultation with an IT Security Specialist will determine who needs to be notified of the breach.
Every incident will be assessed on a case by case basis; however, the following will need to be considered:
- Whether there are any legal/contractual notification requirements
- Whether notification would assist the individual affected – could they act on the information to mitigate risks?
- Whether notification would help prevent the unauthorised or unlawful use of personal data?
All information/data breaches must be reported to the affected client or DPO immediately. Members of staff and Operations Manager must complete a Data Breach Incident Report (Appendix 2) and forward (email a scanned copy) this to their Client for breaches involving manual (paper based) information/data or their IT center or helpdesk for breaches involving electronic data.
Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks.
The OM and or the DPO must consider notifying third parties such as the authorities, insurers, bank or credit card companies, and service providers, etc. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
The OM and or the DPO will consider whether the communications team should be informed regarding a press release and to be ready to handle any incoming press enquiries.
All actions will be recorded by the DPO.
6.5 Evaluation and Response
Subsequent to any information/data security breach a thorough review of the incident should occur. The purpose of this review is to ensure that the steps taken during the incident were appropriate and to identify areas that may need to be improved. Any recommended changed to policies and/or procedures should be documented and implemented as soon as possible thereafter. The OM should identify a group of people within the organisation who will be responsible for reacting to reported breaches of security.
7.0 Review & Update
Once the initial incident is contained, VAP will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
The review will consider:
- Where and how personal data is held and where and how it is stored
- Where the biggest risks lie, and will identify any further potential weak points within its existing measures
- Whether methods of transmission are secure; sharing minimum amount of data necessary
- Identifying weak points within existing security measures
- Staff awareness
- Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security
If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by the DPO and OM.
VAP reserves the right to take such action as it deems appropriate against users who breach the conditions of this policy. VAP employees who breach this policy may be denied access to the organisations information technology resources, and maybe subject to disciplinary action, including suspension and dismissal as provided for in the VAP disciplinary procedure.
9.0 Storage of breach information
Records of all breaches or suspected breaches, and steps taken to resolve, should be saved for seven (7) years, as required under the law.
Records can be saved electronically and should be encrypted.