Home - Communities and Justice - NSW Government Logo
Communities and Justice

Your responsibilities when you detect an actual or suspected information security incident

Overview

As soon as you become aware of an information or data incident, your organisation must:

  • notify us and other relevant state and Commonwealth agencies
  • correct, contain or mitigate any loss of data
  • manage any media response required
  • inform and support any individuals or organisations directly affected
  • seek support and guidance from DCJ, if required
  • cooperate with any direction provided by DCJ
  • implement remedial actions recommended by DCJ and any other state or Commonwealth agency you may have informed of the incident.

Read more about what to expect after you notify us of an information security incident or data breach.

If a requirement stated in this policy conflicts with a provision specified in your contract with us, then the contract provision overrides that requirement.

Step 1. Notify DCJ of an actual or suspected information security incident

The nature of the incident and the potential impact on DCJ clients and systems determines who and when to contact DCJ.

For malicious cyber-attacks on your ICT systems involving personal client information

If your organisation identifies a cyber-attack is in progress, or has occurred in your ICT systems:

  • immediately notify DCJ by completing the online notification form. This point of contact is monitored 24/7 and will be assessed by the DCJ Cyber Security team. Provide an initial report to DCJ within 48 hours of reporting the incident.
  • Once you have completed the form, you need to contact the following people:
    • During business hours: If you suspect the security incident involves data related to DCJ service delivery, please contact your DCJ Contract Manager.
    • Outside business hours: If the incident occurs after hours, and the data breach relates to client data, immediately contact the relevant district or central senior representative, as per table below.

A representative of the DCJ Cyber Security team will contact your organisation and work with you to ascertain details of the incident. If necessary, you can request ICT guidance from DCJ.

DCJ will coordinate the incident and help determine if it is an eligible data breach. Your lead DCJ contract manager or a nominated DCJ coordinator will be the liaison between your organisation and our internal stakeholders.

District or central representative for after hours

Warning alert

The following contact numbers are for after hours only.

After hours contacts for NGOs operating within the following districts:

Hunter and Central Coast
  • Name: Eimear O’Farrell
  • Position: A/Director Commissioning and Planning
  • Phone: 0436 672 423
Illawarra Shoalhaven and Southern NSW
  • Name: Christine Witherdin
  • Position: Director Commissioning and Planning
  • Phone: 0437 595 791
Mid North Coast, Northern NSW and New England
  • Name: Fiona Napper
  • Position: Director Commissioning and Planning
  • Phone: 0427 070 072
Murrumbidgee Far West and Western NSW
  • Name: Brad Wotton
  • Position: A/Director Commissioning and Planning
  • Phone: 0402 000 646
South Western Sydney
  • Name: Samantha Gooch
  • Position: Director Commissioning and Planning
  • Phone:  0407 457 395
Sydney, South Eastern Sydney and Northern Sydney
  • Name: Penny Church
  • Position: Director Commissioning and Planning
  • Phone:  0401 144 434
Western Sydney and Nepean Blue Mountains
  • Name: Daniel Barakate
  • Position: Director Commissioning and Planning
  • Phone: 0407 189 693
Partnerships After hours contacts

For centrally managed contracts or where impacted services are state-wide

  • Name: Melinda Norton
  • Position: Executive Director Partnerships
  • Phone: 0419 626 320

For other incidents involving loss of client data or confidential program information

When your organisation detects any of these types of incidents, call and email your DCJ contract manager by the next business day. If your organisation holds multiple contracts with DCJ, notify your lead DCJ contract manager.

Other obligations

You may also have an obligation to notify the Information and Privacy Commission NSW (IPC), or the Office of the Australian Information Commission (OAIC), under relevant state and Commonwealth privacy laws. Justice Connect, Not-for-profit Law, provides resources to help you understand your obligations.

Step 2. Investigate the information or data incident and notify DCJ of early findings

Within 48 hours of notifying DCJ, you’re required to undertake an early investigation of the information security incident and notify your lead DCJ contract manager of the findings, in writing.

You can use the DCJ Information or data incident report (DOCX, 321.7 KB) (DOCX, 321.7 KB) to satisfy this requirement, or to help guide your organisation’s own version of the report.

Your report of the early investigation and its findings must include:

  • a description of the incident and its potential consequences
  • details of lost or potentially compromised client information/data
  • actions you have taken or planned to manage or remedy the information lost or compromised
  • any actions required to ensure any disruption to ongoing service delivery is minimised.

 

Last updated:

06 Jan 2025