Data breach policy

1. Purpose

This policy establishes the framework for identifying, managing, and responding to data breaches within the Office of the Information Commissioner (OIC). It ensures compliance with the Information Privacy Act 2009 (Qld), the Queensland Government Information and Cyber Security Policy (IS18:2025), and other relevant legislation. The policy aims to protect the privacy of individuals, safeguard OIC information and minimise harm resulting from data breaches. Effective breach management, including notification where warranted, assists the OIC in avoiding or reducing harm to affected individuals and organisations. It also provides an opportunity to learn from incidents and strengthen data protection measures.

2. Scope

This policy applies to all employees, contractors, subcontractors of a contractor, consultants and third-party service providers who handle OIC data, including personal information, sensitive information and confidential data. It covers all data breaches, whether accidental or deliberate, that occur within the OIC’s IT systems, physical records or third-party services.

The Mandatory Notification Data Breach (MNDB) Scheme only applies to agencies as defined in the IP Act. This definition excludes quasi-judicial entities which are undertaking quasi-judicial functions. This means that when the OIC undertakes its quasi-judicial functions (such as external review), those functions are not covered by the MNDB scheme.

3. Human rights

Several human rights protected under the Human Rights Act 2019 (Qld) are directly relevant to data breaches and the handling of personal information:

  • Privacy and Reputation (Section 25) Every individual has the right not to have their privacy, family, home, or correspondence unlawfully or arbitrarily interfered with. A data breach involving personal information could infringe on this right if not managed appropriately.
  • Right to Protection of Families and Children (Section 26) If a data breach involves sensitive information about children or families, additional care must be taken to protect their rights.
  • Right to Life (Section 16) In extreme cases, a data breach could endanger someone's life (e.g., if sensitive information about a person in a protected witness program is disclosed). Agencies must act to prevent such risks.
  • Equality Before the Law (Section 15) Agencies must ensure that their response to data breaches does not unfairly disadvantage vulnerable groups, such as people with disabilities, Aboriginal and Torres Strait Islander peoples, or those from culturally and linguistically diverse backgrounds.

4. Roles, responsibilities and delegations

RoleResponsibility
OIC Head (or Delegate)
  • Ensure the OIC complies with relevant legislation and policies regarding data breaches.
  • Approve and oversee the implementation of post-breach remediation actions.
Data Breach Response Team
  • Review, assess and remediate incidents escalated to the team.
  • Follow this policy when responding to a data breach.
  • Consult with internal and external stakeholders as require.
  • Determine if a Data Breach is an Eligible Data Breach.
  • Review and respond to data breaches impacting the OIC’s external service providers.
Manager, Information Systems and Management
  • Lead the technical response to data breaches, including containment, mitigation, and remediation.
  • Maintain the Register of Eligible Data Breaches.
Employees and Contractors
  • Report suspected or actual data breaches immediately to the OIC’s IS&M team.
  • Follow OIC policies and procedures to prevent data breaches
  • Respond to requests for information from and cooperate with the Privacy Officer and/or the Data Breach Response Team.
  • Comply with record keeping obligations.
Third-Party Service Providers
  • Notify the OIC promptly of any data breaches involving OIC data.
  • Comply with contractual obligations regarding data protection and breach notification.

5. Policy statement

Reporting a Data Breach

Internal Reporting

All actual or suspected data breaches must be reported immediately to the OIC’s IS&M team.

In urgent situations, employees should contact any member of the Data Breach Response Team.

External Reporting

Members of the public can report a suspected data breach by contacting the OIC through its website or by phone.

Responding to a Data Breach

The OIC will follow a six-stage process to respond to data breaches:

Stage 1: Preparation

  • Maintain an up-to-date Data Breach Response Plan
  • Conduct regular training for employees on data breach prevention and response.
  • Ensure robust security measures are in place, including encryption, access controls, and regular audits.

Stage 2: Identification

  • Identify and report suspected data breaches immediately to the OIC’s IS&M team.
  • Conduct an initial assessment to determine whether a data breach has occurred.
  • Document the details of the incident, including the date, time, and nature of the breach.

Stage 3: Containment and Mitigation

  • Take immediate steps to contain the breach and prevent further unauthorised access or disclosure.
  • Implement measures to mitigate harm.

Stage 4: Assessment

Assess the scope and impact of the breach, including:

  • The type of data involved.
  • The number of individuals affected.
  • The potential for serious harm.
  • Determine whether the breach meets the criteria for an eligible data breach under the Information Privacy Act 2009 (Qld) and the MNDB scheme.

Stage 5: Notification

  • If the breach is deemed eligible, notify affected individuals and the Office of the Information Commissioner Queensland (OIC) as soon as practicable.
  • Notifications must include:
    • A description of the breach.
    • The type of information involved.
    • Steps individuals can take to protect themselves.
    • Contact details for further information.
    • If notification is not required, document the reasons for this decision.

Stage 6: Post Data Breach Review and Remediation

  • Conduct a post-incident review to identify the root cause of the breach and evaluate the effectiveness of the response.
  • Implement corrective actions to prevent future breaches, such as updating policies, improving security measures, or providing additional training.

6. Register of eligible data breaches

The OIC will maintain a Register of Eligible Data Breaches, which will include:

  • Details of the breach (e.g., date, nature, and scope).
  • Actions taken to contain and mitigate the breach.
  • Assessment outcomes and notification decisions.
  • Post-incident review findings and remediation actions.

7. Record keeping

All data breach incidents, whether eligible or not, must be documented and retained in accordance with the Public Records Act 2002 (Qld). Records must include evidence of compliance with this policy and relevant legislation.

8. Definitions/glossary of terms

For the purposes of this policy and related policy documents, the following definitions apply:

TermDefinition
Affected individualAn “affected individual” under section 47(1)(ii) of the Information Privacy Act 2009 (Qld).
Data breachAn incident where personal or OIC data is accessed, disclosed, lost, or destroyed without authorisation, potentially causing harm.
Eligible data Breach

An “Eligible Data Breach” will have occurred under section 47 of the IP Act where:

  1. there has been unauthorised access to, or unauthorised disclosure of personal information held by an agency, and
    the access or disclosure is likely to result in serious harm to any of the individuals to whom the information relates; or
  2. there has been loss of personal information held by an agency that is likely to result in unauthorised access to, or unauthorised disclosure of the personal information, and
    the loss is likely to result in serious harm to any of the individuals to whom the information relates.
Held or hold in relation to personal informationPersonal information is held by a relevant agency, or the agency holds personal information, if the personal information is contained in a document in the possession, or under the control, of the relevant agency.
Personal information

Information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion:

  1. whether the information or opinion is true or not, and
  2. whether the information or opinion is recorded in a material form or not.
Sensitive informationIncludes personal information about an individual’s racial or ethnic origin, political opinions, religious beliefs, sexual orientation, health information, or criminal record.
Serious harm

To an individual in relation to the unauthorised access or unauthorised disclosure of the individual’s personal information, includes, for example:

  1. serious physical, psychological, emotional or financial harm to the individual because of the access or disclosure, or
  2. serious harm to the individual’s reputation because of the access or disclosure.
Unauthorised access

Access to data by an individual or entity without permission. Examples include:

  • An employee browsing records without a legitimate purpose.
  • A cyberattack compromising OIC systems.
Unauthorised disclosure

Disclosure of data to an unauthorised party. Examples include:

  • Sending personal information to the wrong recipient.
  • Publishing sensitive information online without consent.

9. Related policy documents and supporting documents

Legislation
Policy