Purpose
The purpose of the Provider Assist (PA) Data Breach Response Plan is to set out procedures and lines of authority for PA in the event that PA experiences a data breach (or suspects that a data breach has occurred). This Plan is intended to enable PA to contain, assess and respond to data breaches in a timely fashion and to mitigate potential harm to affected individuals.
What is a data breach?
For the purposes of this Plan, a data breach occurs when any information held by PA is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. In this Plan, the terms ‘data’ and ‘information’ are used interchangeably and should be taken to mean both data and information.
A data breach that involves information that is ‘personal information’ as that term is defined in the Privacy Act 1988 (Privacy Act) (i.e. information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not, or recorded in a material form or not) may also constitute a breach of the Privacy Act, depending on whether the circumstances giving rise to the data breach also constitute a breach of one or more of the Australian Privacy Principles (APPs) or a registered APP code.
Data breaches involving personal information that are likely to cause individuals to be at serious risk of harm must be reported to the affected individual(s) and the Australian Information Commissioner in accordance with the requirements of the Notifiable Data Breaches scheme introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017.
Whether a breach exposes individuals to be at a “serious risk of harm” will need to be considered at the time of the data breach.
Data breaches may arise from:
- loss or unauthorised access, modification, use or disclosure or other misuse;
- malicious actions, such as theft or ‘hacking’;
- internal errors or failure to follow information handling policies that cause accidental loss or disclosure; and not adhering to relevant laws.
Interaction of the Plan with other laws and policies
Assessing and responding to a data breach may involve the consideration of a number of overlapping policies and legal requirements. For example, a data breach may involve:
- criminal activity which may require referral to the Australian Federal Police;
- a security incident which may require consideration of the Australian Government Protective Security Policy Framework;
- fraud against the Commonwealth;
- a disclosure of information about PA by a staff member or contractor that may trigger an investigation under Public Interest Disclosure 2013; and
- a suspected breach of the Australian Public Service Code of Conduct that may trigger an investigation under the Public Service Act 1999.
PA’s Chief Executive Officer will determine the appropriate approach to dealing with a data breach, taking into account all of PA’s legal obligations, with legal advice as necessary.
Responding to data breaches
PA will follow the process set out below and in
Attachment A if there is a data breach.
However, it should be noted that there is no single method of responding to a data breach and in some cases the following steps may need to be modified. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
Suspected or known data breach
1. When an PA employee or contractor becomes aware or suspects that there has been a data breach, they will immediately notify their manager who will assess the risk, document the event and report in the first instance to the Information and Systems Team.
2. The Information and Systems Team will notify:
- PA’s Chief Executive Officer who will include details of the breach in a data breach register. The data breach register entry will contain a brief description of the nature of the breach, how it occurred, the date of the breach, the date of discovery and the date of notification to PA (for an external breach); and
- PA’s Business Partners (and other senior managers as required) to determine PA’s response.
3. If the data breach relates to information that PA has received from a stakeholder, the Chief Executive Officer will notify the stakeholder which supplied the data, if the data is identifiable at a health provider or lower level. Each stakeholder will have their own process that must be adhered to and PA will provide assistance and support in completing these processes.
4. Depending on the seriousness of the breach, PA Chief Executive Officer may appoint a staff member or a response team comprising personnel with the necessary expertise (e.g. security, ICT, data, legal etc.) to undertake the response process set out below and in further detail in
Attachment A.
Contain
5. The staff member/response team will take immediate steps to contain the breach, which may include:
- if the breach is the result of an ICT security incident (i.e. an event that affects the confidentiality, integrity or availability of PA’s information, systems and infrastructure), notify the Information and Systems team to implement response in accordance with PA’s Protective Security Policy;
- stopping the unauthorised practice;
- recovering records;
- shutting down system that has been breached;
- revoking or changing computer access privileges;
- addressing weaknesses in physical or electronic security; and
- alerting building security.
Assess
6. The staff member/response team will complete a data breach assessment in accordance with the Data Breach Assessment Report template at
Attachment B.
Notification and Review
7. The staff member/response team will submit the completed Data Breach Assessment Report to the Chief Executive Officer who will coordinate notification (if required) of affected individuals and/or the Australian Information Commissioner and PA’s internal review of the data breach.
Evidence and Record Keeping
The response team will ensure that throughout the data breach response process, PA will:
- ensure that evidence is preserved that may be valuable in determining the cause of the breach, or allowing PA to take appropriate corrective action; and
- keep appropriate records of the suspected breach are maintained, including the steps taken to rectify the situation and the decisions made.
