DATA PROTECTION BREACH MANAGEMENT POLICY
DATA PROTECTION BREACH MANAGEMENT POLICY
- Purpose, Scope and Users
- Reference Documents
- Key concepts
- Responsibilities and Process
The purpose of this document is to outline definitions, sets out procedures and clear lines of authority for VA Platinum (VAP) in the event of a data breach, or suspects that a data breach has occurred.
This response plan is intended to enable VAP to contain, assess and respond to data breaches in a timely fashion and to help mitigate potential harm to affected individuals. It sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist VAP to respond to a data breach.
Together with VAP’s Privacy Policy and other associated policies, this plan will enable VAP to comply with the below obligations:
• Australia Privacy Act 1988
• Notifiable Data Breaches (NDB) Scheme
Users of this document are all employees, Agents, Consultants, Contractors and Suppliers of VAP that has access to VAP’s information/data.
Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information is true or not, and whether the information is recorded in a material form or not. It includes all personal information regardless of its source and regardless of whether it is publicly available.
A data breach occurs when personal information held by VAP is lost or subjected to unauthorised access, modification, use or disclosure or other misuse, regardless of whether it is accidental. For simplicity, this plan refers to data breaches of ‘personal information’, but it applies to ALL information held by VAP.
A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.
Examples of data breaches include but not limited to:
• loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
• unauthorised access to personal information by an employee
• inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person or document left unattended on desk
• disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures
• Unauthorised use of, access to or modification of data or information systems
• hacking attack
• Equipment theft or failure
• Unauthorised disclosure of sensitive / confidential data
• unforeseen events that occur to a contractor/supplier who holds information on behalf of VAP or if cloud service provider suffers data breach (e.g., Dropbox)
Data breaches can be caused by or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies or organisations.
Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation.
Examples of harm include but not limited to:
• financial loss including unauthorised credit card transactions or credit fraud
• identity theft causing financial loss or emotional and psychological harm
• family violence
• physical harm, bullying or intimidation
• loss of business or employment opportunities
• humiliation/damage to reputation or relationships
A data breach can also negatively impact VAP’s reputation for privacy protection, and as a result may undercut its commercial interests and industry standing. The reputation impact of a data breach can be reduced by effectively minimising the risk of harm to affected individuals, and by demonstrating accountability in VAP’s data breach response.
The NDB scheme requires VAP to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) about ‘Eligible Data Breaches.’ This notification allows affected individuals to take the required steps to reduce or remove the risk of harm.
An ‘Eligible Data Breach’ occurs when ALL the following criteria are met:
• there is unauthorised access to or disclosure of personal information held by VAP, or there is a loss of personal information in circumstances where unauthorised access or disclosure of the information is likely to occur; and
• this is likely to result in serious harm to any of the individuals to whom the personal information relates; and
• VAP has been unable to prevent the likely risk of serious harm with remedial action.
If it is not clear whether a suspected data breach meets these criteria, an objective assessment, determined from the viewpoint of a reasonable person within VAP, must be completed to determine whether the breach is an ‘Eligible Data Breach’ that triggers notification obligations.
Not all data breaches will be ‘Eligible Data Breaches.’ For example, if VAP acts quickly to remediate a data breach, and as a result of this the data breach is not likely to result in serious harm, the exception in the Privacy Act will apply and there will be no requirement to notify any affected individuals and the Office of the Australian Information Commissioner (OAIC) under the NDB scheme.
For more information on what constitutes an ‘Eligible Data Breach’, see the OAIC guide ‘Data Breach Preparation and Response’.
Broadly VAP will follow the below four key steps approach to data breaches. For more details, refer Appendixes.
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘Eligible Data Breach’ under the NDB scheme, it may be mandatory for the entity to notify.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
IMPORTANT NOTE: The language used for all records must be in English. If there are evidences in a different language than English, an English translated copy must be saved together with each of the original evidence.
There is no single method of responding to a data breach but all known or suspected breach must be taken seriously. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action. Depending on the nature of the breach, additional staff or external experts may need to be included, for example an IT specialist/data forensics expert or a human resources adviser.
The VAP Data Breach Response Team (DBRT) is responsible for carrying out the actions that can reduce the potential impact of a data breach, however all employees, Agents, Consultants, Contractors and Suppliers of VAP are responsible for notifying their Success Manager or VAP Immediate Supervisor of a suspected or confirmed data breach as soon as they become aware of the breach.
Title | Role |
VAP’s Employees, Agents, Consultants, Contractors and Suppliers | · Immediately report suspected or known data breach to their Success Manager or VAP Immediate Supervisor (where practical but within 24 hours) · Contain the breach by taking immediate steps to limit any further assess or distribution of the affected personal information or the possible compromise of other information · Preserve evidence of the suspected or known data breach · Assist their Success Manager or VAP Immediate Supervisor in completing the Data Breach Incident Report (Appendix 4) · Participate in investigations as required
|
Success Manager | · Immediately report suspected or known data breach to their Immediate Supervisor (where practical but within 24 hours) · Contain the breach by taking immediate steps to limit any further assess or distribution of the affected personal information or the possible compromise of other information · Preserve evidence of the suspected or known data breach · Assist their Immediate Supervisor in completing the Data Breach Incident Report (Appendix 4) · Participate in investigations as required
|
Immediate Supervisor | · Conduct preliminary investigation · Assess whether a data breach/suspected has (may have) occurred · Assess the potential impact/severity · If not already occurred, contain the breach by taking immediate steps to limit any further access or distribution of the affected personal information or the possible compromise of other information · If not already occurred, preserve evidence of the suspected or known data breach · Report preliminary investigation findings to Data Protection Officer · Complete the Data Breach Incident Report (Appendix 4) and submit to Data Protection Officer
|
Data Protection Officer (DPO) | · Review preliminary investigation findings and Data Breach Incident Report · Assess whether a data breach/suspected has (may have) occurred · Assess the potential impact/severity · Assess the containment measures · Assess the remedial actions · Based on the severity, appoint appropriate Data Breach Response Team Members · Review and approve improvement plans · Report to CEO, Philippine Director and GM · Ensure compliance with relevant policies and guidelines
|
Chief Executive Officer (CEO), Philippine Director & General Manager (GM) | · Approve Data Breach Incident Report · Approve notification requirements assessment · Approve Notifiable Data Breach Form, if necessary · Approve Professional Indemnity Insurance Claim Application, if necessary
|
Data Breach Response Team (DBRT) | |
· Assess preliminary investigation and conduct detailed investigation and assessment of the data breach · Assess and implement containment and/or remediation actions · Access notification requirements (e.g., which law enforcement, regulators or other entities/parties that may need to be contacted or notified) · Access whether an Eligible Data Breach has occurred and notification to OAIC is required and complete the Eligible Data Breach Assessment Form · Assess OAIC notification requirement and complete the Notifiable Data Breach Form, if necessary (Refer OAIC’s Guide) · Assess the Professional Indemnity Insurance coverage · Complete the Professional Indemnity Insurance Claim Application and manage the claim process, if necessary
The DBRT Members may include but are not limited to the below:
| |
DPO | Lead the DBRT and reporting to CEO, Philippine Director and GM
|
Compliance Officer or Project Manager | · Assist DPO in the management and coordination of the breach · Assist DPO in the management and coordination of DBRT and provide support to DBRT members
|
Privacy and Legal Expert | · Provide privacy expertise · Identify legal obligations and provide advice · Provide insurance coverage expertise
|
Investigation and Risk Management Support | · Conduct investigation and assessment · Identify cause and impact of data breach · Identify improvement plans |
Subject Matter Expert | Provide specific area expertise depending on the nature of the breach
|
Implementation Support | · Implement containment and/or remediation actions · Complete notification requirements · Implement improvement plans
|
Communication Support | Communicate and dealing with affected individuals and external stakeholders |
When a data breach or suspected data breach is discovered, or is otherwise alerted to about it, immediately report the data breach to your Success Manager or VAP Immediate Supervisor and complete the Data Breach Incident Report (Appendix 4) within 24 hours. If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.
If an external contractor or suppliers reports an actual or suspected data breach, the relevant contract should be reviewed to determine what action is to be taken. VAP may be able to:
• participate in the contractor’s or supplier’s assessment of the event, and whether it amounts to an Eligible Data Breach; and
• meet with the contractor or supplier to discuss and agree who will issue any required notification.
Details of the breach should be recorded accurately, including the date and time the breach occurred, the date and time it was detected, who/what reported the breach, description of the breach, details of any systems involved, corroborating material such as error messages, log files, etc.
The VAP Immediate Supervisor and DPO will assist the person reporting the breach to contain and minimise the effect of a suspected or known breach where possible. This means taking immediate steps to stop (if possible, otherwise limit) any further access or distribution of the affected personal information, or the possible compromise of other information.
The containment should be done by the person who first suspects or is made aware of the data breach, to the best of their abilities.
What is needed to contain the breach is determined on a case-by-case basis, however, addressing the following may help to identify strategies to contain a data breach:
• How did the data breach occur?
• Is the personal information still being shared, disclosed, or lost without authorisation?
• Who has access to the personal information?
• What can be done to secure the information, or stop the unauthorised access or disclosure, and reduce the risk of harm to affected individuals?
• Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. For example, this might entail isolating a compromised section of the network, finding a lost file or piece of equipment, or simply changing passwords or codes to server rooms, etc.
• Establish whether there is anything that can be done to recover losses and limit the damage the breach can cause.
Everyone should be careful not to destroy evidence that may be valuable in identifying the cause of the breach, or that would enable VAP to address all risks posed to affected individuals or VAP. For example, ensure all evidences (including emails, voice messages, SMS/text messages, call recordings and calls logs) have been saved/recorded before offboarding the equipment or purge the data from the equipment/systems involved in the breach. When saving a file, ensure the file name is brief but clear enough to show what the file is about before even opening the file, as per VAP guideline. If an email contains attachment, save the entire email with attachment attached within the email in an email file format to record the timestamp and as proof of source of the attachment.
The VAP Immediate Supervisor is responsible for undertaking a preliminary assessment of whether an Eligible Data Breach has or may have occurred, and the impact and severity of that actual or suspected breach.
If after reviewing initial assessment, the DPO is of the view that a data breach has, or may have, occurred, the DPO activates the DBRT.
The DBRT’s assessment should follow the below three-phase process:
- Initiate: plan the assessment and assign a team or person
- Investigate: gather relevant information about the incident to determine what has occurred.
This will involve gathering together all necessary and relevant information about the actual or suspected data breach. It should include a prompt assessment of the following:
• What information has been lost or accessed or disclosed without authorisation?
• What happened to the information? Has it been lost or stolen?
• What was the cause of the data breach?
• Was the information protected by any security measures (password protection or encryption)?
• Who or what kinds of people have access to the information?
• What is the type and extent of the data breach?
• What individuals have been, or may be, affected by the data breach, and the extent of the harm?
• Are there (or could there be) a real risk of serious harm to the affected individuals?
• Are there ways that the data breach can be contained (as it is vital to ensure as quickly as possible that there are no ongoing or repeated data breaches stemming from the same or related causes)?
• Is there any need to immediately notify any person potentially affected (and if so, who, and what information should be disclosed to them)?
• Whether there could be media or stakeholder attention as a result of the breach or suspect breach?
Evidence may be needed later to find the cause of the problem, or to fix the issue, so care needs to be taken to ensure that nothing is destroyed.
Seek internal or external advice to assist as required.
- Evaluate: conduct evaluation to determine whether the incident amounts to an Eligible Data Breach (as defined in the Privacy Act). Make an evidence-based decision about whether serious harm is likely, or whether any exception to notification in the Privacy Act applies and document this decision.
This assessment process must be completed within 30 calendar days of the day VAP becomes aware of the grounds (or information) that caused VAP to suspect an Eligible Data Breach. The Australian Information Commissioner (OAIC) expects that wherever possible entities treat 30 days as a maximum time limit for completing an assessment, and endeavour to complete the assessment in a much shorter timeframe, as the risk of serious harm to individuals often increases with time.
Where VAP cannot reasonably complete an assessment within 30 calendar days, this should be documented, so that VAP is able to demonstrate:
• that all reasonable steps have been taken to complete the assessment within 30 calendar days
• the reasons for the delay
• that the assessment was reasonable and expeditious
In conducting assessment, consider:
• whether any individual may be “at risk” of serious harm now or in the future and consider a wide variety of factors such as the sensitivity of the information, whether the information is protected by one or more security measures, the kind of person(s) who could obtain the information and the nature of the harm)
• whether the data could be put to any illegal or inappropriate use
• the number of people affected by the breach or suspected breach
• the type and sensitivity level of personal information involved in the data breach
• circumstances of the data breach, including its cause and extent
• the nature of the harm, and whether this can be removed through remedial action
• whether the data breach or suspected data breach may indicate a systemic problem with VAP practices or procedures
• other issues relevant to the circumstances, such as the value of the data to VAP or issues of reputational risk
• whether the incident amounts to an Eligible Data Breach (as defined in the Privacy Act)
• whether there are any legal/contractual notification requirements
• whether notification would assist the individual affected – could they act on the information to mitigate risks
• whether notification would help prevent the unauthorised or unlawful use of the information
If the breach involves another entity, VAP should attempt to speak with that entity’s DBRT or representative.
There are exceptions to notifying OAIC in certain circumstances. Assess whether an exception is applicable to the situation.
• Where the risks associated with any data breach are low, and that remedial action can be appropriately taken and is successful in preventing the likelihood of serious harm, then the incident will not be an Eligible Data Breach and notification to OAIC is not required.
For example, a VAP employee may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be successfully recalled, or if the VAP can contact the recipient and obtain an assurance that the recipient has deleted the email, this will no longer be an Eligible Data Breach.
Once DBRT accessed and decided on whether Eligible Data Breach has occurred, the DPO must confirm this with the CEO, Philippine Director and GM. If the CEO, Philippine Director and GM agree with the conclusion, the decision and reasons for this conclusion must be documented and filed.
If VAP determines that the incident is an Eligible Data Breach (as defined in the Privacy Act) then VAP must notify the affected individuals and OAIC.
Remedial action
Determine if the breach is still occurring. If so, the appropriate steps should be taken immediately to stop and minimise the effect of the breach. Establish whether there is anything that can be done to recover losses and limit the damage the breach can cause.
Where possible, promptly take steps to reduce any potential harm to individuals. This might involve taking action to recover lost information before it is accessed or changing access controls on compromised stakeholder accounts before unauthorised transactions can occur. It may also involve any compromised security credentials being revoked, and the Information and Communication Technology (ICT) systems affected by a virus or malware being isolated or turned off.
Notification
If the DBRT determines that there has been an Eligible Data Breach, the DBRT will complete the OAIC’s online Notifiable Data Breach form, which will contain the following:
• VAP’s contact details
• a description of the breach
• the kind/s of information concerned
• recommended steps for individuals
The DBRT will also notify affected individuals and inform them of the contents of this statement. The DBRT will determine which of the following three options will be used for this notification:
• Option 1: Notify all affected individuals (where VAP cannot reasonably assess which particular individuals are at risk of serious harm from an Eligible Data Breach that involves personal information about many people, but where VAP has formed the view that serious harm is likely for one or more of the individuals)
• Option 2: Notify only those individuals at risk of serious harm (where VAP can identify that only a particular individual, or a specific subset of individuals, involved in an Eligible Data Breach is at risk of serious harm, and can specifically identify those individuals)
• Option 3: publish the statement on VAP website and publicise it (where neither of the first two options are practicable).
Where appropriate, the DBRT will provide further information in the notification, such as an apology and a summary of actions taken regarding the breach.
There are some exceptions to the notification requirements, which relate to:
• Eligible Data Breaches of other entities
• enforcement related activities
• inconsistency with secrecy provisions
• declarations by the Commissioner
Where applicable, the DBRT will consider any applicable exceptions, and refer as required to the guidance provided on the OAIC website.
Each data breach needs to be considered on a case-by-case basis to determine whether notification is mandatory or desirable (even if notification is not legally required, there may be reasons why VAP may decide to issue a notification).
Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks.
Where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future, consider notifying third parties such as the authorities, insurers, bank or credit card companies, and service providers, etc.
Consider whether the communications team should be informed regarding a press release and to be ready to handle any incoming press enquiries.
Review
Once notification obligations are completed, the DBRT should conduct thorough review of the incident and the management of the incident. Identify areas of improvement and take action to prevent future breaches and better manage the incident. This may include:
• fully investigating the cause of the breach
• developing a prevention plan
• conducting audits to ensure the plan is implemented
• updating the security/response plan
• considering changes to policies and procedures
• revising staff training practices
The DBRT will also review and assess the data breach management and response and the effectiveness of the Data Breach Management Policy and this Data Breach Response Plan, including:
• whether the data breach or suspected data breach may indicate a systemic problem with VAP practices or procedures
• possible motives for the breach (where intentional)
• other relevant issues, such as the value of the data to VAP or issues of reputational risk
Circumstances in which other relevant bodies may need to be contacted
Where relevant, a nominated representative of VAP’s executive team may also report the incident to other relevant bodies, such as:
• police or law enforcement (where the breach may lead to fraud, violence or other illegal acts)
• Australian Securities and Investments Commission (ASIC), Australian Prudential Regulation Authority (APRA) or the Australian Taxation Office (ATO), (where the breach may lead to fraud, or where financial information is involved)
• the Australian Cyber Security Centre (where the breach is in the form of a cyber-attack)
• VAP’s financial services providers (where VAP financial systems have been compromised)
• VAP’s insurer(s)
• co-holders of personal information (where information is stored on a shared database)
other third parties as appropriate (where required under agreements with third parties such as insurance policies or service agreements)
IMPORTANT NOTE: The language used for all records must be in English. If there are evidences in a different language than English, an English translated copy must be saved together with each of the original evidence.
Action Item | Timeline | Person In Charge |
Notify VAP Immediate Supervisor or Success Manager
| Immediately after discovery | Person who discovered the breach |
Notify Success Manager Lead, relevant Business Development Manager, Data Protection Officer and Compliance Officer
| Immediately after being notified about the breach | Success Manager |
Complete Section 1 of Data Breach Incident Report and email to Data Protection Officer and Compliance Officer and CC CEO, Philippine Director and General Manager (Refer Appendix 4)
| Within 1 hour from discovery | Immediate Supervisor and reporting staff member |
Organise Meeting with Data Breach Response Team
Example of Team Members: · Person who discovered the breach · Success Manager or VAP Immediate Supervisor of the Person who discovered the breach · Success Manager Lead · Data Protection Officer · Compliance Officer · Head of Sales · Relevant Business Development Manager · HR Manager · Other relevant people, subject matter experts
| Immediately after being notified about the breach | Compliance Officer or Project Manager |
Discuss the next course of action, person in charge for each action item and time frame
| During DBRT meeting | DBRT members |
Setup action plan tracker (Refer Appendix 5)
| During DBRT meeting | Compliance Officer |
Create a group chat for communication
| Immediately after DBRT meeting | Compliance Officer |
Create data breach folder for the client using the Data Breach folder template, provide access to the relevant POC and update Access Level Sheet
| Immediately after DBRT meeting | Compliance Officer |
Monitor, coordinate and follow up on action items
| Throughout the entire Data Breach Project | Compliance Officer |
Update action plan tracker | As soon as there is update, throughout the entire Data Breach Project | DBRT |
Arrange and coordinate DBRT meetings. At minimum, recurring weekly DBRT meetings should be prebooked. | Immediately after first DBRT meeting
| Compliance Officer |
Conduct Investigation | Immediately after discovering the breach
Completion time frame based on complexity of the breach Low – 1-2 weeks Medium – 2-3 weeks High – 3-4 weeks | DBRT |
Complete incident report>remaining sections and send to Data Protection Officer and Compliance Officer | Throughout the entire Data Breach Project, as soon as there is update.
Completion time frame based on complexity of the breach Low – 1-2 weeks Medium – 2-3 weeks High – 3-4 weeks
| Success Manager or the VAP Immediate Supervisor and reporting staff member |
File all relevant evidences and documentation in the Data breach folder | Throughout the entire Data Breach Project, as soon as there is update.
Completion time frame based on complexity of the breach Low – 1-2 weeks Medium – 2-3 weeks High – 3-4 weeks
| DBRT |
Reviewing & emailing incident report to CEO to sign, cc Philippine Director & General Manager
| Within 1 week from the completion of investigation | DPO |
File the fully signed incident report in Data breach folder
| Immediately after receiving it from CEO | DPO |
Conduct post-breach review | Within 1 week from completion of submission of final Data Breach Incident Report | DBRT |
Complete the Post-breach Review and Improvement Plan (Refer Appendix 6)
| Within 1 month from completion of submission of final Data Breach Incident Report | Compliance Officer |
Email the Post-breach Review and Improvement Plan to CEO, Philippine Director & General Manager
| Within 1 month from completion of submission of final Data Breach Incident Report | DPO |
Monitor the progress and ensure completion of the improvement plans
| As per agreed timeline indicated in the Post-breach Review and Improvement Plan form | Compliance Officer |
Remove everyone who no longer need access to the Data Breach folder and update Access Level Sheet
| Immediately after the Data breach is wrapped up and closed | Compliance Officer |
Example 1
An employee leaves documents containing the personal information of a client on their desk at the end of the day on Friday. The employee only discovers that the documents have been left on their desk the following Monday morning. The employee is unsure of who has access to the office over the weekend, and is not sure if someone could have read the documents.
Considering that the documents could have been read by anyone with a key to the office, investigation is conducted with every key holder.
Each of them confirms that they have not been in the office since close of business on Friday and this is verified with CCTV recording. VAP establish that the breach was not serious, and there is no risk of serious harm to the client. VAP decides that it is not an Eligible Data Breach.
Example 2
A staff member becomes aware that the company’s customer database has been publicly available on the internet due to a technical error for more than 1 month. It has been accessed a number of times and it is not possible to verify who accessed the information. The external IT provider has removed the database from the public domain once notified.
In this scenario, the breach is serious and is likely to cause harm. Remedial action was taken, but the personal information of individuals was available for some time.
VAP should seek legal advice and may need to notify its insurer. VAP should also report it to Office of the Australian Information Commissioner (OAIC). Affected customers should be notified via email. A notice describing the breach could be included on VAP website.
Template Path Location: VA Platinum Dropbox\VA Platinum Files\4 – Template\Data Breach\Data Breach Incident Report.docx
Template Path Location: VA Platinum Dropbox\VA Platinum Files\4 – Template\Data Breach\Data Breach Action Plan Tracker.gsheet
Template Path Location: VA Platinum Dropbox\VA Platinum Files\4 – Template\Data Breach\Post-breach Review and Improvement Plan.gsheet)
Template Path Location: VA Platinum Dropbox\VA Platinum Files\4 – Template\Data Breach\COMPLETED SAMPLE-Data Breach Incident Report.docx)