Call 07 3818 3118

Data Breach Response

The Base Support Services Inc. (TBSS) is committed to protecting the privacy and personal information that it holds about individuals. TBSS will act appropriately and in a timely manner in the event of a data breach, to contain, assess and respond in a timely fashion, to mitigate the possible resulting harm and notify individuals affected as required.

The purpose of the Data Breach Response Plan is to set out procedures and lines of authority for TBSS in the event of a data breach (or suspects that a data breach has occurred).

Definitions

For the purposes of this Plan:

  • Data breach occurs when information held by TBSS is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.
  • Terms data and information are used interchangeably and should be taken to mean both data and information.
  • Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether the information or opinion is recorded in a material form or not (e.g. your name and address, your date of birth).

Data breaches may arise from:

  • loss or unauthorised access, modification, use or disclosure or other misuse
  • malicious actions, such as theft or ‘hacking’
  • internal errors or failure to follow information handling policies that cause accidental loss or disclosure
  • not adhering to the laws of the States and Territories, or the Commonwealth.

Examples include where a secure IT system containing personal information has been hacked, a storage device being lost by an employee, or an employee accidentally releasing personal information to the wrong person.

Interaction of the Plan with other laws and policies

Assessing and responding to a data breach may involve the consideration of a number of overlapping legal requirements. For example, a data breach may involve:

  • criminal activity or fraud against TBSS which may require referral to the Queensland or Federal Police
  • disclosure of information about TBSS by a staff member that may trigger an investigation under the Code of Conduct.

TBSS Board in consultation with the Services Manager will determine the appropriate approach to dealing with a data breach, taking into account all of TBSS legal obligations, with external legal advice sought as necessary.

Responding to data breaches

TBSS will follow the process set out below if there is a data breach relating to personal information for clients or others as prescribed in its Privacy Policy. 

It should be noted that there is no single method of responding to a data breach and in some cases the following steps may need to be modified. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.

Identify

  1. When a staff member (or other) becomes aware or suspects that there has been a data breach, they must notify the Services Manager who will assess the risk, document the event and report in the first instance to the Board Chair.  
  2. The Board Chair will:
    • notify the Board
    • work in consultation with the Services Manager to determine TBSS’ response.
  3. If the data breach relates to information that TBSS has received from another organisation, the Services Manager will notify the organisation which supplied the data.
  4. Depending on the seriousness of the breach, the Board may appoint a response team (comprising of the Services Manager, specific Board members and others with appropriate expertise e.g. security, ICT, data, legal) to undertake the response process below.

Contain

5. As soon as the breach or suspected breach has been identified, any steps to contain or limit potential harm should be taken. For example:

    • if the breach is the result of an ICT security incident (i.e. an event that affects the confidentiality, integrity or availability of TBSS’ information, systems and infrastructure), notify TBSS’ contracted ICT service provider to implement response
    • stopping the unauthorised practice
    • recovering records
    • shutting down system that has been breached
    • revoking or changing access privileges
    • addressing weaknesses in physical or electronic security

Assess

6. Complete a data breach assessment by gathering information, assessing risk/s and the likelihood of serious harm from the breach, and therefore whether it is an ‘eligible’ (notifiable) breach.

7. To evaluate whether a known data breach is notifiable, consider the following three questions:

a. Has there been unauthorised access, unauthorised disclosure, accidental loss, or theft of personal information that TBSS holds?

For example, TBSS’ database is hacked, a portable storage device containing personal information is lost, or TBSS accidentally releases personal information to the wrong person.

b. Is it likely that this may result in serious harm to individual/s whose data has been breached?

This can include but is not limited to psychological, financial, emotional, physical or reputational harm. To be able to accurately assess the likelihood and seriousness of harm, it requires looking at the context of the data and how it may have been breached.

c. Does the likelihood of serious harm remain despite taking available remedial action?

The obligation to notify the Australian Information Commissioner can be avoided if TBSS takes remedial action in a timely manner to prevent the risk of harm occurring, either by making the harm unlikely to occur, or non-serious. 

If the answer to the above three questions is yes, then the breach classifies as an eligible data breach and TBSS is required to notify the Australian Information Commissioner and any affected individuals.

If there are reasonable grounds to suspect that there has been a data breach, the response team should conduct an assessment of the suspected breach. The assessment of a suspected breach must take place within 30 days of it occurring, and should seek to find out the likelihood of serious harm occurring as a result of the suspected breach. If it is assessed to be likely, this has the same notification obligations as a known data breach.

Take remedial action

8. Remedial action can be taken at any point throughout the data breach response process – the sooner the better. However, it may be that the full extent and nature of the breach, and therefore the actions that could be taken, are not known until after assessing and investigating the breach.

Examples of remedial action include remotely deleting sensitive information from a laptop which has been lost, or emailing affected individuals with advice to change their password details for an online account for which login information may have been hacked.

9. The response team should document the process of any remedial action, making sure to document rationale and reasoning as to why a certain conclusion has been made.

10. If, after the remedial action has been taken, the risk of harm is reduced so that it is unlikely to occur, or non-serious, then there is no requirement to notify.

11. Even if there is no requirement, however, the response team should consider whether to contact affected individuals with advice for further protecting their information as a customer service measure. 

Notification and Review

12. The response team will submit a report to the Board Chair who will in consultation with the Services Manager coordinate notification (if required) of affected individuals and/or the Australian Information Commissioner.

13. Whether or not the breach or suspected breach was notifiable, a review should be conducted into processes relating to the breach to strengthen protections in the future. Depending on the type and seriousness of the breach, this may include:

    • a full investigation into how the breach occurred
    • implement measures to ensure it does not reoccur
    • reviews of security, cybersecurity and ICT policies and procedures
    • audit of implementation of relevant policies and procedures
    • additional staff training about privacy and data breach responses.

Evidence and record keeping

The response team will ensure that throughout the above process that TBSS:  

  • preserves any evidence that may be valuable in determining the cause of the breach, or allowing TBSS to take appropriate corrective action
  • keeps appropriate records of the suspected breach, including the steps taken to rectify the situation and the decisions made.

Want local support from people who care?

Life can be challenging sometimes. That’s why we seek to understand and provide tailored support to help individuals, families, and the broader Goodna, Ipswich and Western suburbs communities.

Call 07 3818 3118

We are a not-for-profit organisation with over 30 years experience working with the community of Goodna and surrounding areas. We have a range of services to support individual needs including those with Disability, Family and Youth.

Services

Quick Links

Contact Us

Facebook-f Linkedin

Acknowledgment of Country

The Base Support Services Inc. would like to acknowledge the Traditional Owners as custodians of country throughout Australia and recognise their continuing connection to land, waters and culture. We pay our respects to Australia’s First People and their Elders past, present and emerging.

Copyright © 2024 The Base Support Service Inc. All rights reserved
Privacy Policy | Terms & Conditions | Collection Notice | Data Breach Response | Reconciliation Action Plan
This website was proudly built by Onside Online

Back To Top ↑