Keeping data secure - and what to do if there is a breach
Changes to privacy laws mean the University now has mandatory notification obligations that may apply in the event of loss or unauthorised disclosure of personal information (data breaches).
Data breaches have the potential to harm the individuals affected and to expose organisations to legal, financial and reputational risk. A eligible data breach can be the loss of any information that identifies a person - name, identification numbers, location details or data that details personal aspects of someone’s life. Some data breaches have the potential for greater harm because the information is more sensitive - such as when information like tax file numbers, health information, passport numbers and banking and credit card details are involved. The mandatory notification scheme is intended to ensure that any harm to individuals can be minimised. If data breaches are not responded to promptly and properly, there may be penalties under Australian and international law.
Responding to Data Breaches
All University personnel should familiarise themselves with the University’s Data Breach Response Plan and follow the procedures set out in the Plan when assessing and responding to an actual or suspected data breach.
If you become aware of a data breach, you should immediately:
- Record details of the breach using the Data Breach Report Form; and
- Provide the report form to your Area Manager.
Area managers are required to:
- Take immediate action to contain the breach, remediate harm and preserve evidence. Refer to the Data Breach Response Plan for examples of action that may need to be taken; and
- Provide a copy of the report to the Manager, Compliance who will assess what further steps are necessary.
Except where disclosure is required by the Data Breach Response Plan, keep the incident confidential.
Keeping data secure
We often think of data breaches as being the result of sophisticated hackers quietly infiltrating information systems to disrupt or steal information. But most reported data breaches are the result of human error - lost USBs or mobile devices; hardcopy documents that are left behind; a system user being compromised by an email scam. All can result in unauthorised access to data and should be treated as a potential data breach.
The security measures you apply are critical regardless of how your data is stored in hard or electronic copy, so make sure your record storage practices are compliant with the University’s current Privacy Policy and Management Plan, University Information Management Policy and the IT Acceptable Use and Security Policy and its associated procedures.