Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action. There is no single method of responding to a data breach.These will be documented and acted upon as soon as possible. In all cases the assessment will identify what actions must be taken. An assessment of a known or suspected breach must be conducted expeditiously and where possible should be completed within 30 days. The Privacy Officer will assess if a breach is likely to be notifiable and ensure appropriate actions including reporting to the OAIC. There will then be an evaluation of the scope and possible impact of the breach.For example, a system suspected breach will be investigated by the IT Security Manager, Cyber & Digital Security together with the Privacy Officer and a non-system suspected breach will be investigated by the Privacy Officer. In assessing a suspected breach, the Privacy Officer may require assistance and information from other areas of the University depending on the circumstances. The ANU Privacy Officer will seek information to assess the suspected breach.If, after an initial investigation, the Privacy Officer suspects a notifiable data breach may have occurred, a reasonable and expeditious assessment must be undertaken to determine if the data breach is likely to result in serious harm to any individual affected. All known or suspected data breaches must still be notified internally to the ANU Privacy Officer. Reducing the scale and impact of a data breach can prevent the need for notification to the OAIC. Any immediate steps available to contain the breach must be identified and implemented in discussion with the Privacy Officer.When an ANU staff member discovers a known or suspected data breach they should immediately notify the ANU Privacy Officer by providing as much information as possible such as the time and date the known or suspected breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.ANU experiences data breach or a data breach is suspected: this may be discovered by an ANU staff member, or an ANU staff member may be alerted by another party or system.Sensitive information means information or an opinion that is also personal information, about a person’s racial or ethnic origin, political opinions, memberships of political, professional and trade associations and unions, religious and philosophical beliefs, sexual orientation or practises, criminal history, health information, and genetic and biometric information. Personal information means information or an opinion about an individual who is identified, or who can reasonably be identified, from the information, whether or not the information or opinion is true or recorded in a material form, and includes sensitive information and Notifiable data breach means a data breach that is likely to result in serious harm, which must be notified to affected individuals and the Office of the Australian Information Commissioner (OAIC). Examples of a data breach are when a device containing personal information is lost or stolen, an entity’s database containing personal information is hacked or an entity mistakenly provides personal information to the wrong person. Definitionsĭata breach means unauthorised access to, or unauthorised disclosure of, personal information or a loss of personal information. To set out procedures to implement the mandatory notifiable data breaches scheme that applies under the Privacy Act 1988. Procedure: Data breach response plan Purpose International Strategy and Future Students Division of Student Administration and Academic Services
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |