Xuất bản thông tin

Information Breach Procedures

procedure

These procedures must be read in conjunction with the Information Breach Policy.

2. Scope

These procedures apply to all employees.

3. Procedures

3.1 Contain the information breach

The employee who discovers a breach must:

  • take steps to contain the breach by limiting distribution of the affected information and preventing further compromise.
  • immediately inform their principal/line manager.

The principal/line manager must:

  • confirm that steps have been taken to contain the breach.
  • document details of the steps taken to aid in the assessment, review, and developing of preventative actions and/or education programs and training material.
  • seek advice from the Departments Standards and Integrity Directorate in cases of potential breaches of discipline or conduct.
  • inform the Information Custodian.
  • if required, escalate the incident to the Information Privacy and Governance Team for them to carry out further investigations and reporting.

The Information Custodian must:

  • have an oversight of the breach related to their information asset to review and continually update risk mitigation strategies

The Information Privacy and Governance Team must:

  • support the communications related to breaches.
  • determine if other escalation or notification is required.

3.2 Assess the details of the information breach

The principal/line manager must:

  • carry out an initial and impartial assessment depending on the breach circumstances.

For escalated breaches, the Information Privacy and Governance Team must:

  • seek advice from the Departments Standards and Integrity Directorate in cases of potential breaches of discipline or misconduct.

Guidance

Guidance:

Factors to consider when assessing an information breach:

Details of the breach: Assessors should evaluate the type and sensitivity of breached information, identify affected individuals, and determine the extent and impact of the breach.

Source of the breach: Assessors must investigate the source of the breach to identify the root cause and contributing factors, determining if it was due to malicious intent, human error, or negligence. They should understand the circumstances leading to the breach, assess if it was a system failure or a procedural issue, and determine if it was an isolated incident or an ongoing risk.

Impact assessment: Assessors must evaluate the nature of the breach, affected individuals, and the type of compromised information. They should determine the extent of the breach and assess potential current and future harm to both the affected individuals and the Department.

Extent: Assessors must quantify the amount of data or number of records breached, the duration the breach went undetected, and whether the information has been recovered.

Harm to individuals and the Department: Potential harm to individuals includes identity theft, threats to personal safety, damage to reputation, loss of business opportunities, and financial loss. For the Department, the breach could impact service capacity, result in loss of reputation and public trust, financial loss, exposure of sensitive information, loss of assets, and risk of regulatory penalties or legal liability.

3.3 Notify the relevant authorities

The principal/line manager must inform:

  • the Information Privacy and Governance Team.
  • other responsible officers in accordance with Western Australian Information Classification Policy.
  • the Standards and Integrity Directorate if the breach constitutes a breach of discipline or contravention of the Code of Conduct.

The Information Privacy and Governance Team must:

  • provide advice on the management of a breach.
  • maintain the information breach register and ensure it is stored and managed on the Electronic Document Records Management System (TRIM).
  • conduct an annual review of information breaches to determine the inclusion in the Annual Report.
  • review and make recommendations to implement measures and prevent future breaches.
  • notify and report the breach to the Information Commissioner if the breach meets the requirements of the Notifiable Information Breach Scheme under the Privacy and Responsible Information Sharing Bill 2024.
  • review the process and the breach event to ensure all notification have been finalised to determine if further action is required.
  • implement and review the Information Breach Policy and supporting documents.
  • develop education programs and training materials.

4. Definitions

Aboriginal Information refers to information, including family history that relates to Aboriginal people and their ancestors.

Discriminatory Harm refers to information that causes a person to be treated differently due to ethnicity, gender, disability, age, religious belief, pregnancy, or sexual orientation (for example, details of religious beliefs that leads to public persecution).

Financial harm refers to financial loss or being unable to access one’s money (for example, when a third-party gains access to bank account).

Health information refers to personal or sensitive information or an opinion about an identified or reasonably identifiable individual’s health, illness, disability or injury. Including an individual’s expressed wishes about the future provision of health services, or a health service provided or to be provided to an individual. Health information also includes other personal information collected, to provide or in providing a health service to an individual. Health information is regulated in Western Australia under the Health Services Act 2016.

IPP entity refers to a Minister, Parliamentary Secretary, a public entity or contracted service provider thereby, the Department of Education is referred to as an IPP entity for the purposes of this document.

A notifiable information breach occurs when personal information held by an IPP entity is accessed, disclosed, or lost without authorisation and if a reasonable person would conclude that this access or disclosure is likely to result in serious harm to the affected individual. Serious harm refers to discriminatory, financial, physical, psychological or emotional, or reputational harm).

Personal Information including sensitive information, means information or an opinion about an identified or reasonably identifiable individual, living or dead, whether true or not, and can be recorded in a material form or not.

Physical harm refers to risk of physical harm or intimidation (for example, disclosure of a physical address to someone who wishes to cause physical harm to another).

Psychological or emotional harm including cultural harm, means having personal information available that causes anxiety, embarrassment, depression or hurt feelings (for example, potential availability of personal details or family circumstances, gender, ethnicity, or health information).

Reputational harm is damage to an individual or an IPP entity within the community or negative publicity that damages a reputation (for example, disclosure of information that negatively impacts an image).

Threat of harm arises from the availability of personal information from an information (or data) breach (for example, threats of blackmail or extortion).

5. Related documents

7. History of changes

Effective date Last update date Procedure version no.
12 November 2024 1.0
New procedures, endorsed by the Director General at the Corporate Executive meeting held on 11 September 2024.  D24/0653243
12 November 2024 28 November 2024 1.1
Minor change to amend legislation name error. D24/0904296

8. More information

This procedure:

Download procedure PDFInformation Breach Procedures v1.1

Please ensure you also download the policy supported by this procedure.


Supported policy:

Download Policy PDFInformation Breach Policy


Procedure review date

12 November 2027

Procedure last updated

28 November 2024