Data Breach Policy
Introduction
This Data Breach Policy (Policy) sets out an overview of the Independent Liquor & Gaming Authority (the Authority, ILGA) procedures in relation to detecting, responding to, managing, notifying and reporting eligible data breaches in accordance with the Mandatory Notification of Data Breach Schedule (the MNDB Scheme) under Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
This policy complies with section 59ZD of the PPIP Act. This Policy provides a framework for ILGA’s compliance with MNDB Scheme.
ILGA personnel should consult internal procedures for detailed guidance on how to respond to a data breach in accordance with this Policy.
The purpose of this Policy is to set out how ILGA will respond to data breaches involving personal information. While not all data breaches will be eligible data breaches, ILGA takes all data breaches seriously and will assess each data breach in accordance with this Policy.
Definitions
Term |
Definition |
Breach Response Team | is a team consisting of ILGA personnel responsible for coordinating and managing ILGA’s response to a data breach. |
data breach | the unauthorised access to, unauthorised disclosure of, or a loss of, personal information held by ILGA. |
Data Breach Response Plan | means a detailed internal plan outlining the steps required for ILGA personnel to contain, assess, investigate and respond to a data breach. |
eligible data breach | a data breach likely to result in serious harm to individuals whose personal information is involved in the data breach. |
health information | means any personal information that is information or an opinion about a person’s physical or mental health or disability or the provision of health services to them, including an individual’s express wishes about the future provision of health services to them (section 6 of the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act). |
likely to result in serious harm | ‘likely’ means the risk of serious harm to an individual is more probable than not. |
MNDB Scheme | has the meaning of the Mandatory Notification of Data Breach Scheme established in Part 6A of the PPIP Act, commenced 28 November 2023. |
personal information | means information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion (see section 4 of the PPIP Act. In this policy, personal information also encompasses health information within the meaning of the HRIP Act and includes information about an individual’s physical or mental health, or disability, or information connected to the provision of a health service to an individual. |
serious harm | occurs where the harm arising from the eligible data breach has, or may, result in a real and substantial detrimental effect to the individual. The effect on the individual must be more than mere irritation, annoyance or inconvenience. Harm to individual includes serious physical, psychological, emotional, financial or reputational harm. |
personnel | All ILGA permanent full time, part time, volunteer, trainee and temporary employees, board members and staff authorised to access ILGA information systems and assets. Any consultants and persons or organisations authorised to administer, develop, manage and support ILGA information systems and assets. Any third party supplier, vendors, contractors and hosted managed service providers. |
Scope
This Policy applies to and must be adhered to and implemented by all personnel.
All personnel have a responsibility to notify the Director, Office of ILGA (OILGA) of any data breach immediately on becoming aware that a data breach has occurred and provide information about the data breach in accordance with procedures in our Data Breach Response Plan.
What is an eligible data breach?
A data breach occurs when there has been unauthorised access to, unauthorised disclosure of or loss of personal information (including health information) held by (or on behalf of) ILGA or any accidental or unlawful destruction or alteration of personal information held by (or on behalf of) ILGA.
A data breach may occur as the result of a malicious action, systems failure or human error. A data breach may occur also because of misconception as to whether a particular act or practice is permitted under PPIP Act.
Examples of data breaches include:
Malicious or criminal attack
- Cyber incidents such as ransomware, malware, hacking, phishing or brute force access attempts resulting in access to or theft of personal information.
- Theft of a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information.
System fault
- Where a coding error allows access to a system without authentication, or results in automatically generated notices including the wrong information or being sent to incorrect recipients.
- Where systems are not maintained through the application of known and supported patches.
Human error
- When a letter or email is sent to the wrong recipient.
- When system access is incorrectly granted to someone without appropriate authorisation. When a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information is lost or misplaced.
- When staff fail to implement appropriate password security, for example not securing passwords or sharing password and log in information.
If there are reasonable grounds to believe that the data breach has resulted in, or is likely to result in, serious harm to one or more of the individuals to whom the information relates, the data breach is an ‘eligible data breach’.
Serious harm occurs where there is a substantial detrimental effect on an individual and can be physical, psychological, emotional, financial, or reputational harm. Examples of harms include identity theft, financial loss or blackmail, threats to personal safety, loss of business or employment opportunities, humiliation, stigma, embarrassment, damage to reputation or relationships, discrimination, bullying, marginalisation, or other forms of disadvantage or exclusion.
Process for managing a data breach
ILGA takes reasonable security safeguards against the loss, unauthorised access, use, modification and disclosure of personal information. ILGA has policies and processes for preventing and managing data breaches. The ILGA Data Breach Response Plan provides detailed guidance on how to respond to a data breach in accordance with this Policy.
Data breach response and reporting
ILGA will consider a number of factors in assessing a data breach including the NSW Privacy Commissioner’s statutory guidelines and will engage the following steps in response to all data breaches:
Step 1: Contain the data breach and conduct a preliminary assessment
- Immediately take all realistic steps to contain the breach and limit any further access or distribution of the affected personal information.
- Conduct preliminary fact-finding about the breach.
- Make a preliminary assessment of the risk posed by the data breach.
The Breach Response Team will consist of:
- The Chair of the Authority with responsibility for final approval on decisions and proposals by the Breach Response Team (or another board member if unavailable).
- Director OILGA who will lead the assessment, mitigation and notification of the data breach.
- ILGA legal team who will identify and advise on any legal obligations and support the drafting of notifications and communications issued under this Policy.
- Manager OILGA who will liaise with any related ICT partners as required to obtain and provide information into the cause and impacts of the data breach.
- Any internal or external expertise and incident response advisors the Breach Response Team determines are required to complete the assessment and mitigation of the data breach.
Step 2: Evaluate and mitigate the risks associated with the data breach
- Complete an assessment of the harm that may eventuate from the breach.
- As soon as practicable, take remedial action to prevent or mitigate the likelihood that the breach will result in harm to any individual.
- Consider requirements under any third party agreements and third party organisations or agencies whose data may be affected.
- For high risk data breaches, the Breach Response Team should consider whether to involve any other internal or external parties such as:
- ID Support
- Law enforcement agencies, NSW Police Force and/or Australian Federal Police
- ID Care
- Financial services providers
- Professional associations, regulatory bodies
- The Office of Australian Information Commission where data breach may involve tax file numbers or agencies under Federal jurisdiction
- Cyber Security NSW, and/or the Australian Cyber Security Centre.
Step 3: Notify and communicate
- If the breach is assessed as an eligible data breach on the advice of the Breach Response Team, the appropriate communications messaging templates and procedures in the Data Breach Response Plan will be used to notify the Privacy Commissioner of the breach and individuals affected by the breach where required.
- Where ILGA is unable to notify, or where it’s not reasonably practicable to notify, any or all individuals whose personal information was the subject of the breach, ILGA will publish a notification on its website in a public notification register, and will take reasonable steps to publicise that notification.
- Notification is required by law under the PPIP Act and may also be required under Federal Privacy Act 1988 (Cth).
In accordance with section 59O of PPIP Act, the notification will include the following specific information, if reasonably practicable:
- The date the data breach occurred
- A description of the data breach
- How the data breach occurred
- The type of data breach that occurred
- The personal information included in the data breach
- The amount of time the personal information was disclosed for
- Actions that have been taken or are planned to secure the information, or to control and mitigate the harm
- Recommendations about the steps an individual should take in response to the data breach
- Information about complaints and review of agency conduct
- The name of the agencies that were subject to the data breach
- Contact details for the agency subject to the data breach or the nominated contact person in relation to the data breach
Step 4: Prevent future data breaches
- A post incident review of the process used for the data breach after it has been handled will be conducted and reported to the Breach Response Team with details of any recommendations.
Step 5: Record keeping requirements
- Office of ILGA will maintain an internal register of all eligible date breaches impacting ILGA.
- ILGA will maintain a public notification register on the ILGA website. This will be a public notification register of eligible data breaches where ILGA is unable to notify, or it is not reasonably practicable to notify affected individuals.
-
For further detailed requirements of our internal and external reporting, personnel must consult our Data Breach Response Plan.
ILGA staff awareness
To ensure that ILGA personnel are and remain aware of their obligations under the MDNB Scheme, ILGA will:
- Develop and provide personnel our Data Breach Response Plan;
- Provide training on this Policy and our Data Breach Response Plan to raise awareness and appreciation of these privacy obligations generally;
- Provide refresher and on-the-job training as required; and
- Schedule an annual review and update of this Policy, or more frequent reviews and updates if needed.
Further information and contacts
For further information about this Policy, an eligible data breach on the public notification register or if you have any concerns, please contact ILGA:
Independent Liquor and Gaming Authority
McKell Building 2-24 Rawson Place
Sydney NSW 2000
Email: office@ilga.nsw.gov.au
For more information on privacy rights and obligations in New South Wales, please contact the NSW Privacy Commissioner at:
NSW Information and Privacy Commission
Level 17, 201 Elizabeth Street
Sydney NSW 2000
Phone: 1800 472 679
Web: www.ipc.nsw.gov.au
Email: ipcinfo@ipc.nsw.gov.au