Procedure: Data breach response plan
Identification of a breach
- ANU experiences data breach or a data breach is suspected: this may be discovered by an ANU staff member, or an ANU staff member may be alerted by another party or system.
- When an ANU staff member discovers a known or suspected data breach they should immediately notify the ANU Privacy Officer by providing as much information as possible such as the time and date the known or suspected breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.
- Any immediate steps available to contain the breach must be identified and implemented in discussion with the Privacy Officer. Reducing the scale and impact of a data breach can prevent the need for notification to the OAIC. All known or suspected data breaches must still be notified internally to the ANU Privacy Officer.
Assessment of a breach
- Not all data breaches are notifiable. If, after an initial investigation, the Privacy Officer suspects a notifiable data breach may have occurred, a reasonable and expeditious assessment must be undertaken to determine if the data breach is likely to result in serious harm to any individual affected.
- The ANU Privacy Officer will seek information to assess the suspected breach. In assessing a suspected breach, the Privacy Officer may require assistance and information from other areas of the University depending on the circumstances. For example, a system suspected breach will be investigated by the IT Security Manager, Cyber & Digital Security together with the Privacy Officer and a non-system suspected breach will be investigated by the Privacy Officer.
- There will then be an evaluation of the scope and possible impact of the breach. The Privacy Officer will assess if a breach is likely to be notifiable and ensure appropriate actions including reporting to the OAIC. An assessment of a known or suspected breach must be conducted expeditiously and where possible should be completed within 30 days.
- In all cases the assessment will identify what actions must be taken. These will be documented and acted upon as soon as possible.
- There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
- There are four key steps to consider when responding to a breach or suspected breach.
- STEP 1: Contain the breach and do a preliminary assessment
- STEP 2: Evaluate the risks associated with the breach
- STEP 3: Notification to OAIC and affected individuals
- STEP 4: Prevent future breaches
A notifiable breach
- A breach which is assessed as likely to result in serious harm to individuals whose personal information is involved, is a notifiable data breach. Such data breaches must be notified to the affected individuals and the OAIC. Notice must include information about the breach and the steps taken in response to the breach.
- If the University has responded quickly to the breach, and as a result of this action the data breach is not likely to result in serious harm, there is no need to notify individuals or the OAIC. However, the University may decide to tell the affected individuals about the incident if it is considered appropriate.
- The risk of serious harm will be assessed by considering both the likelihood of the harm occurring and the consequences of the harm. Some of the factors that should be considered are:
The type of personal information involved in the data breach.
Some kinds of personal information are more sensitive than others and could lead to serious ramifications for individuals if accessed. Information about a person’s health, documents commonly used for identity fraud (e.g. Medicare card, driver’s licence) or financial information are examples of information that could be misused if the information falls into the wrong hands.
Circumstances of the data breach
Nature of possible harm
- Notification to the OAIC and internally within the University is the responsibility of the Privacy Officer.
- Notification to individuals may be undertaken by the Privacy Officer or a University officer in the area in which the breach occurred after the Privacy Officer agrees to the action.
- Notifications will follow the format identified by the OAIC in Data breach preparation and response.
- A response team will be formed for a serious breach. The team will include the IT Security Manager, Cyber & Digital Security and an officer from the line area. Staff from the Legal Office and Strategic Communication and Public Affairs Office will provide advice.
- The Chief Operating Officer will be informed when a Response Team is established.
Breaches that are not serious
- Breaches that are not assessed as serious breaches may be handled by line managers, but must be reported to the Privacy Officer.
- Documentation will be stored in the Electronic Records Management System for each suspected breach.
|Printable version (PDF)|
|Title||Data breach response plan|
|Purpose||To set out procedures to implement the mandatory notifiable data breaches scheme that applies under the Privacy Act 1988.|
|Audience||Staff, Students, Prospective Staff, Prospective Students|
|Topic/ SubTopic||Information Management - Privacy|
|Effective Date||7 Aug 2023|
|Next Review Date||6 Aug 2028|
|Responsible Officer:||University Librarian and Director, Scholarly Information Services|
|Approved By:||Chief Operating Officer|
|Contact Area||Library, Archives and University Records|
Privacy Act 1988
Information generated and received by ANU staff in the course of conducting business on behalf of ANU is a record and should be captured by an authorised recordkeeping system. To learn more about University records and recordkeeping practice at ANU, see ANU recordkeeping and Policy: Records and archives management.