- NDIS Practice Standard 1: Rights and Responsibilities
- 1.0 Purpose
- 2.0 Scope
- 3.0 Definitions
- 4.0 Policy
- 5.0 Procedure
- Stage 1. Assess and determine the potential impact
- 5.2 Stage 2. Select appropriate data breach management option
- 5.2.2 Secondary role of the Data Breach Response Team
- 5.3 Stage 3. Notify the Office of the Australian Information Commissioner
- iSeekSupport Policy and Procedure - Published 09.02.2022
NDIS Practice Standard 1: Rights and Responsibilities #
1.0 Purpose #
To meet legislative compliance requirements as a mandatory reporter of eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and any individuals potentially affected by a data breach. Our organisation must inform relevant authorities of any breach, limit and reduce risks to the business, and ensure continuous improvement in the maintenance of data held by our organisation.
2.0 Scope #
All staff members must maintain the confidentiality of all data relating to participants and other staff members. This policy relates to all personal data regarding both participants and team members.
3.0 Definitions #
4.0 Policy #
iSeekSupport views data breaches as having severe consequences, so the organisation must have robust systems and procedures in place to identify and respond effectively.
iSeekSupport will delegate relevant staff members with the knowledge and skills required to become a Data Breach Response Team member.
Staff are required to inform the manager or their delegate of the potential, or suspected, data breach immediately. Within forty-eight (48) hours, the manager is to complete a Data Breach Process Form. Plus, ensure that, as a regulated entity, they notify the particular individuals and the Commissioner about eligible data breaches as soon as practicable (no later than thirty (30) days after becoming aware of the breach or suspected breach).
If a staff member becomes aware that there are reasonable grounds to believe that there has been an eligible data breach, iSeekSupport is required to promptly notify any individuals at risk of being affected by the data breach and the OAIC.
iSeekSupport will undertake the following when an eligible data breach has occurred:
1. Prepare a statement that, at a minimum, contains:
iSeekSupport contact details:
i) If relevant, the identity and contact details of any entity that jointly or simultaneously holds the same information, in respect of which the eligible data breach has occurred, e.g. due to outsourcing, joint venture or shared services arrangements.
If information of this sort is included in the statement, the other entity will not need to report the eligible data breach separately.
- A description of the data breach
- The kinds of information concerned
- The steps it recommends individuals take to mitigate the harm that may arise from the breach (while the entity is expected to make reasonable efforts to identify and include recommendations, it is not expected to identify every recommendation possible following a breach).
- Provide a copy of the prepared statement to the OAIC using the online Notifiable Data Breach Form.
- Undertake such reasonable steps to notify affected or at-risk individuals of the contents of the statement. Individuals will be notified by email, telephone or post, depending on the situation; if direct notification is not practicable, ISeekSupport will publish the statement on its website and take reasonable steps to publicise its contents.
5.0 Procedure #
Stage 1. Assess and determine the potential impact #
- Once notified of the potential data breach, the PRACTICE MANAGER must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its possible severity.
- Advice on how to manage the data breach should be sought from appropriate managerial staff.
- Criteria for determining whether a privacy data breach has occurred:
- Is personal information involved?
- Is the personal information of a sensitive nature?
- Has there been either – unauthorised access to personal information or unauthorised disclosure of personal information or loss of personal information in circumstances where access to the information is likely to occur?
- Criteria for determining the severity of the breach:
- Type and extent of personal information involved
- The number of individuals that have been affected
- If the information is protected by any security measures (password protection or encryption)
- Type of person/s who now have access
- Whether there is (or could be) a real risk of serious harm to the affected individuals
- If there could be media or stakeholder attention due to the breach/suspected breach.
- Concerning the above, serious harm could include physical, physiological, emotional, economic/financial or harm to reputation and is defined in Section 26WG of the National Data Breach Act.
The manager and relevant staff will take a preliminary view as to whether the breach (or suspected breach) may constitute a Notifiable Data Breach. Accordingly, the manager will issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Data Breach Response Team (Response Team); this will depend on the nature and severity of the breach.
5.2 Stage 2. Select appropriate data breach management option #
Option 1 – Data breach managed at a local level by managerial staff #
1. The manager will ensure implementation of immediate corrective action if this has not already occurred. Corrective action may include retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system.
- A Data Breach Process Report is to be completed within 48 hours of receiving instructions. The report will contain a:
- Description of the breach or suspected breach
- Summary of action taken
- Summary of outcomes from the action taken
- Outline of processes implemented to prevent a repeat situation
- Recommendation that outlines why no further action is necessary.
- The manager will sign-off, confirming that no further action is required.
Option 2 – Data breach managed by the Data Breach Response Team #
- When the manager instructs that the data breach be escalated to the Response Team, the manager will convene the Response Team and notify any relevant managerial staff.
The Response Team will consist of:
- Human Resource nominee
- Information Technology nominee
- Marketing and external relations nominee
- Other people nominated by the manager.
5.2.1 Primary role of the Data Breach Response Team #
There is no single method of responding to a data breach. On a case by case basis, each incident must be dealt with by assessing the circumstances and associated risks to inform the appropriate course of action. The following steps may be undertaken by the Response Team, as appropriate:
- 1. Immediately contain the breach if this has not already occurred. Corrective action may include retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system.
- Evaluate the risks associated with the breach, including collecting and documenting all available evidence regarding the information outlined above.
- Call upon the expertise of, or consult with, relevant staff members in specific circumstances.
- Engage independent cybersecurity or a forensic expert, as appropriate.
- Assess whether serious harm is likely (with reference above and Section 26WG of the National Data Breach Act).
- Make a recommendation to the manager whether this breach constitutes an NDB for mandatory reporting to the OAIC and the practicality of notifying affected individuals.
- Consider developing a communication or media strategy including the timing, content and method of any announcements to participants, staff members or the media.
- The Response Team must undertake its assessment within 48 hours of being convened.
5.2.2 Secondary role of the Data Breach Response Team #
Once the data breach has been dealt with appropriately, the Response Team should turn its attention to the following steps:
- 1. Identify lessons learnt and remedial action that can be taken to reduce the likelihood of a recurrence; this may involve a review of policies, processes and refresher training.
- Prepare a report for submission to senior management.
- Consider conducting an audit to ensure that the necessary outcomes are affected and effective.
5.3 Stage 3. Notify the Office of the Australian Information Commissioner #
- Taking into consideration the Response Team’s recommendation, the manager will determine whether there are reasonable grounds to suspect that a Notifiable Data Breach has occurred.
- If there are reasonable grounds, the manager must prepare a prescribed statement and provide a copy to the OAIC as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach).