Australian Privacy Principles (APPs) means the 13 APPs set out in Schedule 1 of the Act 1988 (https://www.oaic.gov.au/privacy/australian-privacy-principles).
Data breach A data breach occurs when sensitive or personal information is accessed, disclosed or exposed to unauthorised people.
Notifiable Data Breach (NDB) is a data breach that is likely to result in serious harm to any of the individuals to whom the personal information relates. A NDB occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. In such circumstances, the College must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Privacy Amendment (Notifiable Data Breaches) Act 2017
Personal information is information or an opinion in any form about an identifiable individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not.
Sensitive formation means information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record, or health information, genetic information or biometric information (an electronic copy of your face, fingerprints, iris, palm, signature or voice).
Serious harm is determined with regard to the following list of relevant matters as provided for in section 26WG of the Privacy Amendment (Notifiable Data Breaches) Act 2017: the kind or kinds of information;
- the sensitivity of the information;
- whether the information is protected by one or more security measures;
- if the information is protected by one or more security measures—the likelihood that any of those security measures could be overcome;
- the persons, or the kinds of persons, who have obtained, or who could obtain, the information;
- if a security technology or methodology:
- was used in relation to the information; and
- was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information;
- the likelihood that the persons, or the kinds of persons, who:
- have obtained, or who could obtain, the information; and
- have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates;
- have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology;
- the nature of the harm;
- any other relevant matters.
Unauthorised access occurs when personal information is accessed by someone who is not permitted to have access. This could include an employee of the entity, a contractor or external third party (such as hacking).
Unauthorised disclosure occurs when an entity releases/makes visible the information outside the entity in a way not permitted by the Privacy Act, whether intentionally or unintentionally.
MST is committed to protecting the privacy of personal information and recognises the importance of ensuring that appropriate measures are in place to:
- effectively respond to an actual or suspected data breach involving data or information in any form or medium held by the College (Data); and
- ensure compliance with the relevant legislative framework under the Privacy Act 1988 (Cth) (the Act) concerning personal information data breaches.
MST is required to comply with a number of privacy laws including the Privacy Act 1988 (Cth) (the Act), the Australian Privacy Principles contained in the Act (APPs) and the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act). The APPs regulate the manner in which personal information is handled by the College.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act) established a Notifiable Data Breaches (NDB) scheme requiring organisations covered by the Act to notify any individuals likely to be at risk of serious harm by a data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Adherence to this Procedure and Response Plan will ensure that MST can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.
This Procedure and Response Plan has been informed by:
- The Office of the Australian Information Commissioner’s “Data breach notification guide: a guide to handling personal information security breaches”
- Notifiable Data Breach Act
- The Act and Australian Privacy Principles (Schedule 1 of the Act)
As an education provider, and an employer, MST is required to collect, use and disclose personal information. Personal information includes all information or opinion, whether true or not and whether recorded in a material form or not, about an individual. This includes (but is not limited to) the information that the College holds in relation to students, staff, contractors, and even information regarding individuals who attend College functions.
The APPs specifically require MST to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. This Policy is part of the College's endeavours to comply with this obligation.
This Policy sets out the processes to be followed by Melbourne School of Theology (MST) staff if the College experiences a data breach or suspects that a data breach has occurred.
This Policy should be read in conjunction with the College’s Privacy Policy
This Policy applies to all employees (full time, part-time, casual or volunteer) of the College.
Process where a data breach occurs or is suspected
1. Alert
Where a privacy data breach is known to have occurred (or is suspected) any member of MST staff who becomes aware of this must, within 24 hours, alert the Chief Operations Officer.
The Information that should be provided (if known) at this point includes:
- When the breach occurred (time and date)
- Description of the breach (type of personal information involved)
- Cause of the breach (if known) otherwise how it was discovered
- Which system(s) if any are affected?
- Whether corrective action has occurred to remedy or ameliorate the breach (or suspected breach)
A link to the Breach Process Form template can be found at Appendix A to assist in documenting the required information.
2. Assess and determine the potential impact
Once notified of the information above, the Chief Operations Officer must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The IT Manager or the IT department should be contacted for advice.
3. Criteria for determining whether a privacy data breach has occurred
a) Is personal information involved?
b) Is the personal information of a sensitive nature?
c) Has there been unauthorised access to personal information, or unauthorised disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur?
4. Criteria for determining severity
- The type and extent of personal information involved
- Whether multiple individuals have been affected
- Whether the information is protected by any security measures (password protection or encryption)
- The person or kinds of people who now have access
- Whether there is (or could there be) a real risk of serious harm to the affected individual
- Whether there could be media or stakeholder attention as a result of the breach or suspect breach
With respect to (e) above, serious harm could include physical, physiological, emotional, economic/financial or harm to reputation and is defined in section 9 of the Privacy Policy and section 26WG of the NDB Act.
5. Instruct
Having considered these matters in 1 and 2, the Chief Operations Officer must issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Data Breach Response Team (Response Team). This will depend on the nature and severity of the breach.
6. Data breach managed at the College level
Where the Chief Operations Officer instructs that the data breach is to be managed at the local level he/she must:
- ensure that immediate corrective action is taken, if this has not already occurred (corrective action may include: retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system); and
- submit a report to the College Executive within 48 hours of receiving instructions under 3.3. The report must contain the following:
- Description of breach or suspected breach;
- Action taken;
- Outcome of action;
- Processes that have been implemented to prevent a repeat of the situation;
- Recommendation that no further action is necessary.
The College Executive will sign-off that no further action is required.
The report will be logged by the Chief Operations Officer.
7. Data breach managed by the Response Team
Where the Chief Operations Officer instructs that the data breach must be escalated to the Response Team, he/she will convene the Response Team and notify the Executive Principal. The Response team will consist of:
- Chief Operations Officer;
- IT Manager;
- any other person deemed appropriate to assist in the circumstances.
8. Primary role of the Response Team
There is no single method of responding to a data breach and each incident must be dealt with on a case-by-case basis by assessing the circumstances and associated risks to inform the appropriate course of action. The following steps may be undertaken by the Response Team (as appropriate):
- Immediately contain the breach (if this has not already occurred). Corrective action may include: retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system.
- Evaluate the risks associated with the breach, including collecting and documenting all available evidence of the breach having regard for the information outlined above.
- Call upon the expertise of, or consult with, relevant staff in the particular circumstances.
- Engage an independent cyber security or forensic expert as appropriate.
- Assess whether serious harm is likely (with reference to section 4 above and section 26WG of the NDB Act).
- Make a recommendation to the Executive Principal whether this breach constitutes an NDB for the purpose of mandatory reporting to the OAIC and the practicality of notifying affected individuals.
- Consider developing a communication or media strategy including the timing, content and method of any announcements to students, staff or the media.
The Response Team must undertake its assessment within 48 hours of being convened.
The Chief Operations Officer will provide periodic updates to the Executive Principal as deemed appropriate.
9. Notification
Having regard to the Response Team’s recommendation in 8 above, the Chief Operations Officer will determine whether there are reasonable grounds to suspect that an NDB has occurred.
If there are reasonable grounds, the Chief Operations Officer must prepare a prescribed statement and provide a copy to the OAIC as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach).
A link to the OAIC template can be found at Appendix B.
If practicable, the College must also notify each individual to whom the relevant personal information relates. Where impracticable, the College must take reasonable steps to publicise the statement (including publishing on the website).
The prescribed statement will be logged by the Chief Operations Officer.
10. Secondary Role of the Response Team
Once the matters referred to in 8 and 9 have been dealt with, the Response Team should turn attention to the following:
- Identify lessons learnt and remedial action that can be taken to reduce the likelihood of recurrence – this may involve a review of policies, processes, refresher training.
- Prepare a report for submission to the College Executive and the College Board.
- Consider the option of an audit to ensure necessary outcomes are affected and effective.
Responsibilities
The Executive Principal has overall responsibility for the implementation of this policy.
Evaluation
This policy will be reviewed as part of the College’s three-year review cycle. Following every data breach incident, a review shall be conducted to assess whether the College’s data protection policies or procedures require modification to better protect the College’s data.
Communication
This policy is publicly available and communicated to all staff and members of the College Board.
Contact details
Contact for all matters related to privacy, including complaints about breaches of privacy, should be directed as follows:
Chief Operations Officer
E: apham@mst.edu.au
T: 03 97909200
5 Burwood Highway, Wantirna VIC 3152