Data Breach Policy
The term ‘data’ generally refers to unprocessed information, while the term ‘information’ refers to data that has been processed in such a way as to be meaningful to the person who receives it. For the purposes of this document, the terms ‘data’ and ‘information’ have been used interchangeably and should be taken to mean both data and information. Intact Security creates, collects and maintains a considerable amount of data, much of which is confidential personal information. The data collected is used for direct marketing, planning, management and monitoring of various services provided by Intact Security. Information in Intact Security is held in many forms such as records, reports, personnel records, paper files, and computerised databases and documents. It may be transmitted in many ways including by hand or electronically using shared communications lines. Information may be transmitted through systems controlled by Intact Security or systems controlled by external parties. The principles underlying the need for information security applies to all information irrespective of the media on which it is held. A data breach is an incident, in which personal or confidential information, or non-personal information that could be sensitive or commercial, is compromised, disclosed, copied, transmitted, accessed, removed, destroyed, stolen or used by unauthorised individuals, whether accidentally or intentionally. In the event that Intact Security experiences a data breach, or suspects that a data breach has occurred, it is important that procedures are in place to enable Intact Security to contain, assess and respond in a timely manner. This will help minimise potential damage to individuals and the organisation.
This policy applies to all persons employed in Intact Security (including contractors and external agency personnel). This policy also applies to external organisations and their personnel who have been granted access to Intact Security Information and Communication Technology (ICT) infrastructure, services and data. The scope of the policy includes Intact Security data held in any format or medium (paperbased or electronic) that has been assigned a classification of protected (internal use) or confidential. The policy does not apply to information that has been classified as Public
The policy covers all record level and aggregate level data collections within Intact Security, including those provided for by statute. It includes collections of corporate, financial and workforce information. For the purpose of this policy, a data collection includes both operational data collections and data repositories. Depending on the type and extent of the data breach, management of public relations may be required, including coordinating the timing, content and method of public announcements and similar activities. These activities are outside the scope of this policy, which is limited to the immediate internal responses of business units.
Data Breach Policy Statement
This policy sets out mandatory procedures that staff must apply in the event that Intact Security experiences a data breach or suspects that a data breach has occurred.
Data Breach Types
A data breach is an incident, in which information is compromised, disclosed, copied, transmitted, accessed, removed, destroyed, stolen or used by unauthorised individuals, whether accidentally or intentionally.
Information Security Breach
An information security breach is any incident that results in unauthorised access of data, applications, services, networks and/or devices through bypassing their underlying security mechanisms (e.g. firewalls). An information security breach occurs when an individual or an application illegitimately enters a private, confidential or unauthorised information technology perimeter. An information security breach may also be caused by any software attempts to subvert the confidentiality, integrity or availability of a system and may be the result of external intrusion. The method of intrusion needs to be identified to stop further access and mitigate damage to servers.
Some causes of an information security breach are:
- databases containing personal information being illegally accessed by individuals outside of the agency or organisation
- abuse of privileges in a network environment
- unauthorised changes to network profiles or access control lists
Personal Information Breach
A breach of personal information is considered to be an incident whereby information has potentially been viewed, shared, stolen, removed, destroyed or used by an individual unauthorised to do so. A personal information breach occurs when there is unauthorised access or disclosure of Intact Security information, whether intentional or unintentional. Some causes of a personal information breach are:
- improper handling of classified Intact Security information
- an agency or organisation inadvertently providing personal information to the wrong person, for example, sending details out to the wrong address
- an individual deceiving Intact Security into improperly releasing the personal information of another person
- lost or stolen laptops, removable storage devices or paper records containing personal information · hard drive and other storage media being disposed without the contents first being erased
- unauthorised publishing of classified information to an uncontrolled environment e.g. internet or social media
- unauthorised access to records or electronic databases
- unauthorised disclosure of information that has the potential to cause an adverse event
- any unforseen event that has or may affect the ethical acceptability of the use of the personal information provided by Intact Security.
Corporate, Financial or Workforce Information Breach
Corporate, financial or workforce information breach occurs when there is unauthorised access or disclosure of information, whether intentional or unintentional. Some causes of corporate, financial or workforce breach are:
- unauthorised access to human resource systems
- improper handling of staff bank account details or payslip details
- a person inadvertently disclosing staff contact details such as mobile phone number or home address
- unauthorised publishing of budget related information
- unauthorised disclosure of staff professional development documentation or assessment results.
Reporting a Data Breach
Data Breach Incident Reporting Form
A Data Breach Incident Reporting Form should be completed by Intact Security staff in all instances of a data breach or suspected data breach. The form is comprised of two parts, Part A and B. Part A is to be completed immediately, by the person who discovers or suspects the breach. The following details must be recorded:
- the date, time, duration and location of the breach
- how the breach was discovered or is suspected
- description of the incident and the type of data involved in the breach
- the cause and extent of the breach
- other staff members that either witnessed the event or were notified at the time of the incident
- an initial breach impact severity rating.
The Data Custodian must complete Part B of the Data Breach Incident Reporting Form by providing the following details:
- details of who is affected by the data breach and the estimated number of individuals affected
- a description of the immediate actions taken to contain the breach
- details of anyone else notified of the incident and, if so, how and when they were notified
- whether any evidence has been preserved
- if any further investigation is considered necessary
- if any steps have been taken to prevent the data breach from occurring again.
Data Breach Impact Severity Ratings
The Data Breach Impact Severity Ratings provides a standardised approach for assessing the severity of a data breach and outlines the reporting requirements for data breach notification. Staff are required to make an initial assessment using the Data Breach Impact Severity Ratings Form and to notify relevant staff of the breach in accordance with this form. The impact severity rating of a data breach can range from negligible to very high. A rating should be considered against each of the categories below:
- risk to individuals’ safety
- distress caused to any party or damage to any party’s standing or reputation
- unauthorised release of personally or commercially sensitive data to third parties
- threat to Intact Security or third party systems, or capacity to deliver services
- financial loss to Intact Security or liability to a third party
- impact on Intact Security finances, economic/commercial interests
- impact on development or operation of Intact Security policy.
Data Breach Response
Data breaches must be dealt with on a case-by-case basis by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action. Data security methods must be commensurate with the sensitivity of the information and any disciplinary action commensurate with the seriousness of the breach. There are four key steps to consider when responding to a breach or suspected breach
Expected Response Timing for Types of Data Breaches
The Data Breach Response Steps as set out in this policy should be followed in all instances of a data breach. The specific activities and the expected response timing of these steps will vary, depending on the incident type and the severity rating of the incident. The Intact Security Potential Causes and Expected Responses for Data Breaches Guideline provides staff with a guide for managing data breaches that correspond with the four types. The Guideline provides examples according to the type of data breach, as well as their potential cause, and suggests an appropriate response and timeframe for managing the data breach. These Guidelines may be used to provide Data Custodians with assistance to develop their own response timings that will relate directly to their data collection.
Once a data breach has been investigated, any related documentation must be kept by the Data Custodian and maintained in accordance with state or federal legislation.
Compliance with this Operational Directive is mandatory. Those who fail to comply with this policy may face disciplinary action and, in serious cases, termination of their employment or engagement. Moreover, users who breach confidentiality and security may be subject to disciplinary action.
Unauthorised access, use, disclosure and destruction of confidential information is misconduct pursuant to the Intact Security Code of Conduct.
|Aggregate Level Data||is summed and/or categorised data that is analysed and placed in a format that precludes further analysis (for example: in tables or graphs) to prevent the chance of revealing an individual’s identity (individual records cannot be reconstructed).|
|Confidential Information||access and disclosure of this information must be controlled and will only be given to persons in order to perform their duties (need-to-know) or through legislation.|
|Data Breach||is an incident, in which personal or confidential information, or non-personal information that could be sensitive or commercial, is compromised, disclosed, copied, transmitted, accessed, removed, destroyed, stolen or used by unauthorised individuals, whether accidentally or intentionally.|
|Data Collection||is a systematic gathering of data for a particular purpose from various sources, including manual entry into an application system, questionnaires, interviews, observation, existing records and electronic devices. This includes both operational data collections and data repositories.|
|Data Custodian||is a person(s) responsible for the day-to-day management of data from a business perspective. The Data Custodian aims to improve the accuracy, usability and accessibility of data within the data collection.|
|Data Repository||includes data that is collected from various sources, including operational data collections for the primary purpose of monitoring, evaluation, reporting and research. Examples of data repositories include data held within the Finance Data Warehouse.|
|Data Steward||is a delegated person responsible for setting the overall strategic direction of a specific data collection. They ensure the collection is developed, maintained and utilised in accordance with the strategic goals of Intact Security. The Data Steward is also responsible for authorising access, use and disclosure of data from the data collection for clearly defined purposes that comply with Intact Security’s statutory obligations.|
|Internal Protected Information||is information readily available to Intact Security employees. Information may be accessed or disclosed to third parties with specific authorisation or consent.|
|Personal Data||information or an opinion whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably by ascertained, from the information or opinion.|
|Public Information||is information approved as suitable for public dissemination or deemed public by legislation or routine disclosure.|
|Risk Assessment||is the identification, evaluation and estimation of the levels of risks involved in a situation|
Roles and Responsibilities
Data Stewards are accountable for data breaches relating to their data collection. Data Stewards are responsible for ensuring that the Director has been sufficiently briefed in relation to data breaches with a medium, high or very high impact severity rating. The Data Steward has the authority to determine that further investigation or action in relation to a data breach is required.
Data Custodians are responsible for the security of the data and adherence to standards. Once the Data Custodian has either discovered or been informed of a data breach or suspected data breach, it is the responsibility of the Data Custodian to assess the severity of the incident and decide on any immediate action to be taken in consultation with the Data Steward. The Data Custodian must complete the relevant sections of the Intact Security Data Breach Incident Reporting Form . Once a data breach has been finalised, the Data Custodian is responsible for maintaining all data breach documentation in accordance with record keeping practices.
Data Breach Incident Reporting Form