Data breach registers and policies

Overview

Queensland government agencies¹ must handle personal information² in accordance with the Information Privacy Act 2009 (Qld) (IP Act). Chapter 3A of the IP Act creates a mandatory notification of data breach (MNDB) scheme, which requires agencies (other than local government³) to notify individuals and the Information Commissioner about eligible data breaches involving personal information held by the agency.

The MNDB scheme also requires agencies to keep an internal register of eligible data breaches and publish a data breach policy. This guideline is intended to assist agencies to develop their data breach policy and eligible data breach register. It must be read in conjunction with Mandatory notification of data breach.

In addition to the MNDB guidelines,⁴ agencies may find these templates and quick guides helpful:

• Data breach response plan template
• MNDB Assessment Tool
• Quick guide to the MNDB scheme.

Data breach registers

Section 72 of the IP Act requires agencies to keep an internal register of eligible data breaches. The register must include:

• a description of the eligible data breach, including the type of data breach under section 47
• the date the agency gave a statement to the Information Commissioner about the eligible data breach and the date any additional information was provided to the Commissioner under section 51 and 52
• if individuals were directly notified about the eligible data breach, the register must include the individuals who were notified and the date and method by which they were notified
• if the agency relied on an exemption to not notify the Information Commissioner or individuals, details of the exemption
• details of the steps taken by the agency to contain the eligible data breach and mitigate its harm; and
• details of the actions taken by the agency to prevent future data breaches of a similar kind occurring.

Depending on the circumstances, agencies may find it useful to include additional information about a data breach in the register, for example:

• if an eligible data breach is also a breach of another Act, details of that Act; or
• if the agency was required by contract, another law, or circumstances to notify an external party, details of that party and the date of notification.

In addition to being a requirement under the MNDB scheme, maintaining an eligible data breach register will:

• contribute to accurate record keeping and reporting processes
• assist with tracking and analysing data breach risk and reviewing the efficacy of response methods; and
• assist agencies in responding to requests for information from the Information Commissioner.

The Data breach register template and example register at Appendix A will assist agencies to develop a compliant data breach register.

Data Breach Policies

Section 73 of the IP Act requires agencies to prepare and publish a Data Breach Policy (DBP) outlining how it will respond to a data breach, including a breach the agency suspects is an eligible data breach.

The DBP is not required to contain detailed information about an agency’s information security systems, practices or procedures.

What is a DBP and what are the benefits?

A DBP is a documented policy or plan setting out the procedures to be followed if an agency experiences a data breach, including a breach that is a suspected eligible data breach. It should establish the roles and responsibilities of agency staff in responding to and managing a breach.

Data breaches can vary in size and complexity, and the consequences can be significant for individuals whose information is involved. The range of actual or potential harms they can cause include financial fraud, identity theft, damage to reputation, violence, or psychological harms.

Agencies may also experience serious consequences as a result of a data breach. Depending on the data or information involved, breaches may have negative impacts on an agency’s reputation, finances, interests, or operations. Data breaches can result in a loss of confidence and trust in an agency, including in the service it provides.

Having a robust, documented and operationalised DBP can facilitate a timely and effective response to a data breach, in turn avoiding or mitigating potential harms to affected individuals, and reducing the risks to agencies.

Publication of the DBP

Agencies are required to publish their DBP on an accessible agency website.⁵ This will generally be the agency's website, but if the agency does not have a website, it can be included on the website of another appropriate agency. For example, Ministerial DBPs could be published on the departmental website.

Agencies should link to their DBP policy from their Queensland Privacy Principle Policy (QPP Policy)⁶ and intranet or other central staff repository, and ensure all staff know how to access the policy.

What should a DBP include?

A DBP should set out an agency’s plan for dealing with data breaches from start to finish. A clear and precise DBP will enable agencies to:

• prepare for, identify, contain, assess, respond to and report on data breaches at the appropriate level and in a timely fashion
• identify who in the agency is responsible for taking what action in response to a data breach
• take action to mitigate potential harm to individuals and the agency; and
• meet obligations under the IP Act.

At a minimum, a DBP should include:

• The agency’s preparations for responding to a data breach.
• The definition of data breach and eligible data breach.
• The agency’s strategy for identifying, reporting, containing, assessing, and managing eligible and suspected eligible data breaches.
• How notification obligations will be met if a data breach is assessed as an eligible data breach.
• A description of the roles and responsibilities of staff members.
• Record keeping requirements.
• Post-breach review and evaluation procedures.

It should align with and cross reference other relevant policies and procedures, such as cyber security response plans and QPP Policies. The DBP should be integrated into existing incident or crisis management processes align with relevant Queensland government information security reporting and incident response protocols.

The Data breach policy template and checklist in Appendix B will help agencies develop a compliant and effective DBP.

The agency’s preparations for responding to a data breach

A DBP should provide a high-level outline of the actions the agency has taken to prepare for a data breach, including how these actions fit within the agency’s broader systems, policies, and procedures, eg cyber response, general incident or emergency management processes, communications strategies, and risk management frameworks.

The DBP should also include the key controls, systems, and processes that the agency has established for identifying suspected or actual data breaches and ensuring data breaches are effectively managed.

Training and awareness

Well trained and risk aware staff contribute to a strong frontline defence against privacy risks, including from data breaches involving personal information. Data breach reporting by the Office of the Australian Information Commissioner indicates that breaches caused by human error are a significant component of all breaches involving government agencies.⁷ Prompt identification of breaches and timely reporting by staff is also an important factor in ensuring agencies can effectively respond to and manage breaches.

An agency’s DBP should outline its approach to staff training and awareness in identifying, responding to, and managing data breaches, and any training or awareness activities about other aspects of privacy protection, eg enhancing staff awareness of privacy and cyber principles and current threat trends.

Processes for identifying and reporting breaches

Developing and documenting processes for promptly detecting data breaches will improve an agency’s ability to contain a breach and mitigate potential harms.

An agency’s DBP should clearly explain how internal staff and external entities, eg the public or another agency, can report an actual or suspected data breach and outline the agency's processes for identifying data breaches. This should not include details of specific controls which could place the agency at additional risk.

The appropriate processes for identifying and preventing data breaches will depend on the size and sophistication of an agency, its information holdings, and its security program and controls, but could include:

• technical controls (such as Data Loss Prevention tools)
• monitoring services (such as dark web monitoring, or social media monitoring)
• audits and reviews; and
• staff training and awareness.

Service providers and contract provisions

Agencies often outsource functions to external service providers (for example, payroll or IT services). These relationships are usually covered by legally binding contracts, memorandums of understanding, or non-disclosure agreements. The agency’s DBP should include information about its contractual or other controls over these service providers and how it monitors and manages service providers to ensure compliance.

Service providers who are not agencies may be bound to comply with aspects of the IP Act,⁸ but they cannot be bound to comply with the MNDB scheme; it only applies to agencies. Despite this, in some circumstances⁹ the agency’s MNDB obligations will apply if a service provider has a data breach, as discussed in Data breaches and contracted service providers.

Even where a service provider is not bound to comply with the IP Act, agencies should consider including data breach management and notification obligations in service provider contracts and agreements, including an obligation to notify the agency of any data breaches.

Defining and identifying a data breach

A DBP should include a clear explanation of what a data breach and an eligible data breach are, how data breaches can occur, and that identifying, assessing, and responding to data breaches must be conducted on a case-by-case basis. Including examples of the different ways a data breach can occur will be helpful, eg:

• loss or theft of physical devices
• misconfiguration or overprovisioning of access to systems
• accidental or inadvertent disclosure
• deliberate disclosure; and
• social engineering or hacking.

Scenarios will help raise awareness of high-risk activities and processes that could lead to a breach and how data breaches impact the agency, its functions, and the individuals whose information it handles. For example, an agency that handles a large amount of health information could provide examples or scenarios touching on the actual ways that health information is collected, used, stored, and disclosed in practice, reflecting any known risk factors for that agency.

Strategy for containing, assessing, and mitigating eligible data breaches

A DBP should outline the steps an agency will take to respond to a data breach, including a suspected eligible data breach.

Plan to contain, mitigate harm, assess, notify and prevent

To help ensure responses to data breaches are easily and quickly put into action, the DBP should clearly outline the agency’s process for:

• Initial identification and evaluation of suspected breaches and breach reports.
• Containing a breach or suspected breach to minimise any harms.
• Taking steps to mitigate any harms which may result from the breach. The plan should also make clear that the requirements to contain and mitigate are ongoing obligations which continue while the breach is being managed.
• Assessing or evaluating the information involved in the breach and the risks associated with the breach, so as to determine next steps. This should also include steps to assess whether the breach is an eligible data breach as required under the MNDB scheme, including a list of factors which should be considered in this assessment process.
• Notifying individuals and the Information Commissioner if the breach is assessed as an eligible data breach.
• Post incident review and preventative efforts, based on the type and seriousness of the breach.

Where these processes require decisions about how to manage the breach response, the DBP should identify who is responsible for making those decisions.

Strategies for breaches involving more than one agency

The DBP should include strategies for managing, responding to, and providing notice of data breaches involving other agencies.[10]

This could include documenting key contacts and defining roles and responsibilities regarding assessment, remediation, information flow, and notification.

Notification strategy

The DBP should include a clear notification strategy that is consistent with sections 51 to 54 of the IP Act and enables quick and effective communication with affected individuals and the Information Commissioner.

The strategy should outline:

• responsibilities for implementing the notification strategy
• how to determine when affected individuals or organisations must be notified
• key contacts for communications
• responsibilities for notifying the Information Commissioner, consistently with the obligations imposed by sections 51 and 52
• how affected individuals will be contacted and notified in accordance with section 53, and communications with affected individuals managed, including how inquiries will be made of disclosing agencies under section 54; and
• responsibilities for consulting with any other external stakeholders (such as other agencies who may be impacted by the data breach).

Additional obligations or reporting

Agencies may be required by contract, other laws, or the circumstances of the breach to take additional specific steps in response to a data breach. These could include taking specific containment or remediation actions or engaging with or notifying external stakeholders. A DBP should outline the situations in which external reporting or engagement is necessary. If reporting is discretionary, it should include guidance on making the decision.

Depending on the circumstances of the data breach and the categories of data involved, agencies may need to report to or engage with:

• Queensland Police Service
• Crime and Corruption Commission Queensland
• Queensland Government Chief Information Officer
• The Office of the Australian Information Commissioner
• Australian Federal Police
• The Australian Taxation Office
• The Australian Digital Health Agency
• The Australian Cyber Security Centre
• Any third-party organisations or agencies whose data may be affected
• Financial services providers
• Professional associations, regulatory bodies, or insurers; or
• Foreign regulatory agencies.

Agencies may also wish to canvass media and general communications strategies in their DBP.

Roles and responsibilities

Clearly establishing data breach roles and responsibilities will help ensure prompt responses to a data breach. A DBP should set out the roles and functions of agency heads, executive officers, privacy officers, staff generally and any other relevant internal parties in identifying, reporting, and responding to an actual or suspected data breach.

The DBP should identify the breach response team including:

• roles and functions within the team
• subject matter expertise required in the team—this could include incident response specialists, legal, communications, cybersecurity, physical security, human resources, key agency operations staff and key outsourcing/relationship managers; and
• who in the team is responsible for dealing with the relevant elements of the breach.

It should contain escalation procedures for staff, including how to immediately report a suspected breach, when line managers can handle a breach, and the circumstances in which a breach should be escalated to the response team, eg due to the severity of the breach or the level of response required.

It should also identify who is responsible for:

• making escalation decisions at each level
• assessing and identifying the agency's reporting obligations, including notification to the Information Commissioner, individuals, external stakeholders, or other bodies
• maintaining, testing, and updating the DBP
• data breach recordkeeping; and
• post-breach review and evaluation.

Capability, expertise, and resourcing

Prompt action is critical when responding to a data breach. Response strategies will only be effective if they can be quickly and effectively implemented and actioned. This depends on staff, or other people such as external contractors, having the relevant skillsets and being available to deal with the breach.

A DBP should outline the agency’s strategy for ensuring:

• That it has resourcing and personnel with the necessary expertise to respond effectively. To be properly prepared for complex incidents, this may involve engaging (in advance) an outsourced cyber incident response service provider.
• That agency staff who are likely to be required to assess a data breach or make an escalation decision, are trained and capable of adequately assessing the breach and its impact. Where possible, these staff should be involved in policy testing and review processes.

Recordkeeping

The agency's processes for documenting breach and suspected breach management and response should be included in the DBP. Keeping appropriate records will provide evidence of how the agency actually responded to a breach or suspected breach, including breaches that do not get escalated to the breach response team or do not meet the eligible data breach threshold.

Accurate records will also assist in tracking and analysing data breaches, including the effectiveness of the response methods. This may enable agencies to identify and remedy weaknesses in security or processes that present a higher risk of error.

Recordkeeping responsibility should be clarified in the DBP. This should include:

• assigning responsibility for keeping the register of eligible data breaches required under section 72; and
• publishing, monitoring and reviewing the currency of public notifications of data breaches published to the agency website under section 53(1)(c).

Post-breach review and evaluation

Understanding which processes worked well, how issues were handled, and areas for improvement in the management of a data breach is an important component of the data breach administration process. This is particularly relevant to mitigating future risks, preventing reoccurrence of similar breaches, and improving personal information handling processes in line with expectations of the community and regulators.

DBPs should include:

• A strategy to identify and remediate any processes or weaknesses in data handing that may have contributed to the breach.
• A post-response assessment of how the agency responded to the breach and the effectiveness of the DBP.

Post-breach review and evaluation will identify any changes needed to process or procedures and is a key part of ensuring agencies can proactively and effectively manage data breaches.

Testing and review schedule

Agencies should consider regular testing and review of the DBP to ensure it is operationally effective, up to date, and properly considers internal agency structure and function, and the changeability of the external threat environment.

Regular testing will also contribute to staff understanding their roles and responsibilities and becoming familiar with escalation procedures for more complex breach incidents. It will also allow for the checking of response processes, such as contact numbers, approval processes and reporting lines to ensure that they are current.

DBPs should be reviewed, tested, and updated at least annually, but agencies should consider developing a schedule for reviewing and updating their DBPs appropriate to their specific agency. The testing and review schedule should be set out in the DBP.

Appendix A – Eligible Data Breach Register example