You can read the document below or download it here Data Breach Guidance for NSW Agencies, updated September 2020 Show
Data Breaches and NotificationWhat is a data breach?A data breach occurs when there is a failure that has caused or has the potential to cause unauthorised access to your Agency’s data. Although malware, hacking and data theft are usually the first examples of data breaches that come to mind, many breaches are a result of simple human or technical errors rather than malicious intent. The accidental loss of a paper record, laptop, or USB stick may constitute a data breach under NSW regulation, as would emails sent to the wrong recipients if they contained classified material or personal information. Data breaches can also occur if authorised system users access restricted information for unauthorised reasons, such as employees looking up Agency-held information for personal reasons. Agencies should take a broad approach when thinking about the types of data breach that may occur in their organisation. Some data breaches are serious and can potentially harm individuals and agencies whose information is breached. While NSW does not currently have a mandatory notifiable data breach reporting requirement, the Privacy Commissioner has a voluntary reporting scheme in place. The voluntary scheme encourages agencies that have experienced a serious data breach to report the details of the breach to the Privacy Commissioner, so that the Privacy Commissioner can assess the breach, provide advice or investigate. What are the benefits of reporting a data breach?If you identify that a data breach has occurred, there are significant benefits in being proactive in reporting:
What are the potential impacts of a data breach?The impact of a data breach depends on the nature and extent of the breach and the type of information that has been compromised. Some breaches may involve only one or two people while others may affect hundreds or thousands. Larger breaches expose a wider group of people and could require considerable notification and remediation activities. However, it is not only the initial size of the breach that determines its impact. If there is a breach of sensitive or confidential information, reputational and financial harm can occur for the Agency itself, Agency staff, as well as the Government. There have been cases of breached information being used to derail programs of work and undermine professional relationships. Serious impacts of a data breach could include:
Breaches of personal data can result in significant harm, including people having their identities stolen or the private home addresses of protected or vulnerable people being disclosed. In some circumstances, this can expose an individual to a significant risk of harm. As such, even a breach affecting a small number of people may have a large impact. Agencies should assess the specific risks based on the type of data they hold, and the specific circumstances surrounding the data breach. Agencies should also consider the risks that could result from data breaches:
How do I determine how serious a breach is?Determining the seriousness of the breach affects what response actions should be taken and whether the breach should be reported or not. There is no objective measure of seriousness, and agencies should work out what constitutes a serious breach by:
In assessing seriousness of the breach, the Agency should consider: The type of data that has been breached – does it include financial, health or other sensitive categories of data? Are there other characteristics of the data that could pose a high risk (e.g. commercial information that could pose a reputational risk to an Agency or other organisation)?
It is recommended that agencies implement a process to assess seriousness so that a risk threshold can be applied to data breach protocols. The following case studies provide an illustration to demonstrate how the seriousness of a breach may be assessed: Data breach case studiesCase study 1: Mail merge problemA mail-merge problem at a large government Agency has resulted in emails being sent to the wrong recipients. The subject of the email was a retirement party being held for an outgoing employee and the email included details about the employee, the date and location of the party, and the contact details of the sender. After a brief look at the recipients list, it was seen that the email was accidentally sent to unintended internal business teams, as well as a few external consultants. In this case, while information was sent to a reasonable number of unintended recipients, the consequences are limited to some potential embarrassment caused to the retiring employee and a minor level of reputational damage that may result from the external consultants identifying that a mistake has been made. This would not constitute a serious breach and should be handled internally. Reporting to the Privacy Commissioner is not recommended in this case. Actions may include apologies being sent out and the mail merge problem being addressed. Case study 2: Lost laptopThe daughter of staff member at a smaller regional council had her laptop computer stolen at a university library. Upon hearing about this, the staff member remembered having used the daughter’s laptop during a conference and suspected that the laptop still had copies of unsecured spreadsheets containing sensitive information on the computer’s desktop. This information included account access, financial and personal information about council staff. The daughter was not sure whether the laptop was password protected. In the hope of recovering the laptop, the staff member waited until the police investigation was over before reporting the breach to management. This would be considered a serious breach and should have been reported to the council immediately and then in turn to the Privacy Commissioner. A combination of factors, including the fact that the laptop is a personal device and unable to be monitored or secured by council IT staff, the sensitive nature of the information that has been compromised and its potential for misuse, and the uncertainty around the security setting on the laptop itself, and the long length of time between when the breach occurred and when it was identified by the council, all contribute to the likelihood that serious harm could occur. The lack of immediate notification to the council means that steps to potentially isolate and mitigate damage could not have been taken. The Privacy Commissioner’s assessment would look at the details of the breach, the actions taken in response to the breach, and would potentially suggest improvements to staff training, device-use policies and data breach response plans.
|