Automatic language translation
Our website uses an automatic service to translate our content into different languages. These translations should be used as a guide only. See our Accessibility page for further information.
The purpose of this policy is to provide an overview of the Department of Communities and Justice’s (DCJ) procedures in relation to containing, assessing, managing, notifying and reporting on eligible data breaches in accordance with the Mandatory Notification of Data Breach Scheme (the MNDB Scheme) (as established within the Privacy and Personal Information Protection Act 1998 (NSW)).
This policy complies with section 59ZD of the Privacy and Personal Information Protection Act 1998 (NSW).
Employees should consult the DCJ Data Breach Response Plan for detailed guidance on how to respond to a data breach.
The DCJ Data Breach Response Plan is available on the intranet and outlines specific procedures to follow in the event of a data breach. DCJ takes privacy seriously and requires all employees to complete three mandatory e-learning modules:
Approved users are encouraged to complete annual training in the areas of privacy, cyber security and the NSW data breach notification requirements.
| Term | Definition |
|---|---|
| Approved User | Any DCJ employee, volunteer, contracted service provider, graduate, consultant, vendor engaged by DCJ and any other authorised individual accessing DCJ systems, networks and or information. |
| CISO | Chief Information Security Officer |
| Cyber Incident | An occurrence or activity that may threaten the confidentiality, integrity or availability of a system or the information stored, processed or communicated by it. |
| Data Breach | When personal information held by DCJ is lost or subject to unauthorised access or disclosure. |
| Data Breach Response Plan | A detailed plan outlining the steps required for DCJ employees to contain, assess, investigate and respond to a data breach. |
| Data Breach Response Team | A team consisting of senior DCJ personnel responsible for coordinating DCJ’s response to a data breach. |
| Eligible Data Breach | A data breach likely to result in serious harm to affected individuals, considering the likelihood of harm occurring and the anticipated consequences. |
| Health Information | Health information is a class of personal information and includes information or opinions about the health or disability of an individual and or a patient’s wishes about future healthcare. It also includes information collected in connection with the provision of a health service. |
| MNDB Scheme | Mandatory Notification of Data Beach Scheme, established in section 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (commenced 28 November 2023). |
| OGIP | Open Government, Information and Privacy Unit, DCJ Legal |
| Personal Information | Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. |
All DCJ Approved Users must comply with this policy, including:
The MNDB Scheme (as contained in section 6A of the Privacy and Personal Information Protection Act 1998) commenced on 28 November 2023, requiring all public sector agencies, including DCJ, to take various steps in relation to assessing, containing, managing, notifying and reporting on eligible data breaches.
This policy provides a framework for DCJ’s compliance with the MNDB scheme.
A data breach occurs when personal information, including health information, held by DCJ is lost or subject to unauthorised access or unauthorised disclosure.
A data breach can be accidental or intentional and may arise as a consequence of a cyber-attack, inadvertent disclosure, over-provisioning of access to sensitive systems, or as a result of loss or theft of a physical device.
Types of data breaches include:
A data breach will be considered an ‘eligible data breach’ if the breach is likely to result in serious harm to affected individuals.
Serious harm occurs where the harm arising from the eligible data breach has, or may, result in a real and substantial detrimental effect on an individual. Harm to an individual includes physical, economic, financial, social, emotional, psychological or reputational harm.
Assessment of the likelihood of serious harm arising from a data breach is an objective test. The phrase ‘likely to result’ means that the risk of serious harm to an individual is more probable than not, rather than merely possible.
The NSW Privacy Commissioner’s statutory guidelines will be considered by DCJ in its assessment of all data breaches impacting DCJ.
If a breach is assessed as ‘eligible’, the NSW Privacy Commissioner must be notified. Affected individuals must also be notified unless a relevant exemption applies.
All data breaches are different and should be assessed for notification eligibility on a case-by-case basis.
The Open Government, Information and Privacy Unit (OGIP) has established a robust Data Breach Response Plan (the Plan) enabling DCJ to respond to data breaches efficiently and expediently. The Plan details the steps and procedures Approved Users are required to take in the event of a data breach. Approved Users are expected to familiarise themselves with this Plan and the associated requirements.
All Approved Users are required to complete mandatory online data breach training to ensure they have sufficient understanding of what constitutes a data breach and what is required of them when a data breach is identified. This training encourages Approved Users to remain vigilant and enables them to easily identify suspected data breaches and respond accordingly.
Approved Users are also required to complete mandatory privacy training and cyber security training to raise awareness and understanding of DCJ’s obligations.
All DCJ contractors are subject to privacy obligations, including requirements to handle data breaches in accordance with the Privacy and Personal Information Protection Act 1998 and to immediately notify DCJ of any data breach or any alleged instance of a data breach involving the inadvertent or malicious loss, disclosure or corruption of DCJ information.
DCJ proactively identifies data breaches that may impact DCJ information by actively auditing and monitoring:
If a data breach occurs, Approved Users are immediately required to take all reasonable steps to prevent any further loss or compromise of personal and or health information, and minimise any potential harm to affected individuals.
DCJ business units are required to make an initial assessment as to whether there are reasonable grounds to suspect that the breach is an Eligible Data Breach. If a reasonable suspicion of eligibility arises, the breach must be reported immediately to OGIP using the Reporting Template in the Data Breach Response Plan. All data breaches must be reported to OGIP within seven days of identification and will be triaged and formally assessed under the MNDB scheme.
If members of the community wish to report a data breach impacting DCJ data or systems, they can email databreach@dcj.nsw.gov.au..
Once a suspected eligible data breach is identified, OGIP will establish a Data Breach Response Team (the Response Team). The Response Team will consist of:
The Response Team will conduct a thorough assessment of the suspected eligible data breach, and consider the following:
If the breach is assessed as eligible, the relevant Business Unit, on the advice of the Response Team, will use the templates in the Data Breach Response Plan to notify the Privacy Commissioner and affected individuals where required.
Once the incident response is finalised and notifications complete, the relevant Business Unit will be responsible for conducting a Post Incident Review and completing a Post Incident Review report which must be sent to the Response Team for input before finalisation and reporting to the Secretary or their delegate.
OGIP will maintain an internal register of all eligible data breaches impacting DCJ.
OGIP will also maintain a public notification register on the DCJ website. This will be used to provide public notifications of eligible data breaches where DCJ is unable to notify, or it is not reasonably practicable to notify, affected individuals.
For further instructions on internal and external reporting requirements and procedures, please consult the Data Breach Response Plan.
06 Nov 2023