Data Breach Policy
Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) sets out a mandatory notification of data breach scheme, which applies to public sector agencies, including the Aboriginal Languages Trust (ALT), from 28 November 2023.
What is a data breach?
Data breaches commonly fall into three broad categories:
- Human error
- System error
- Cyber attack or criminal activity
Data breaches involving human error may occur where, for example, an email containing personal information is sent to the incorrect recipient or a USB stick, document or mobile phone containing personal information is lost.
Data breaches involving system error may occur where, for example, insecure systems or protocols allow unauthorised access.
Data breaches resulting from a cyber attack or criminal activity may occur as a result of malware, hacking, phishing, ransomware or brute force access attempts resulting in access to or theft of personal information, or theft of a physical asset such as a laptop or USB stick containing personal information.
What is an eligible data breach?
An eligible data breach occurs where:
- there is unauthorised access to, or unauthorised disclosure of, personal information held by the ALT, or loss of personal information held by the ALT in circumstances that are likely to result in unauthorised access to or unauthorised disclosure of that information, and
- a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates.
Who is required to report a data breach?
All staff of the ALT are required under the PPIP Act to report suspected eligible data breaches involving personal information held by the ALT to the Executive Director of the ALT.
What information is ‘held’ by the ALT?
Information is ‘held’ by the ALT if it is in the possession or control of the ALT or in a State record for which the ALT has responsibility. Information held by contractors engaged by the ALT may be taken to be ‘held’ by the ALT if the ALT has a right of access to it.
What obligations does the ALT have following reporting of a suspected eligible data breach?
After receiving a report, or otherwise becoming aware of a suspected eligible data breach, the ALT has certain legal obligations under the PPIP Act, including:
- immediately making all reasonable efforts to contain the data breach;
- undertaking (or appointing another person to undertake) an assessment within 30 days (unless an extension is granted) to determine whether the breach is, or there are reasonable grounds to believe the breach is, an eligible data breach;
- during the assessment period, making all reasonable attempts to mitigate the harm done by the suspected breach;
- following the assessment, making a decision about whether the breach is an eligible data breach or there are reasonable grounds to believe that the breach is an eligible data breach; and
- immediately notifying the NSW Privacy Commissioner, and notifying affected individuals as soon as practicable (unless an exemption applies), of eligible data breaches.
The ALT is also required to:
- keep an internal register of all eligible data breaches; and
- prepare, publish and make publicly available, a data breach policy.
- The ALT may also have an obligation to report the data breach to the Commonwealth Office of the Australian Information Commissioner if the breach involved tax file numbers.
How does the ALT ensure compliance with the mandatory notification of data breach scheme?
The ALT handles data breaches in accordance with this Data Breach Policy. Further, annual privacy training provided to ALT staff will include information about the mandatory notification of data breach scheme obligations in Part 6A of the PPIP Act, in order to promote awareness of and compliance with the scheme.
How can members of the public report a suspected eligible data breach?
Members of the public may report suspected data breaches involving personal information held by the ALT by contacting the Department.