Publication date: 6 September 2023
Introduction
1.1 In December 2022, the Office of the Australian Information Commissioner (OAIC) commenced a privacy assessment of 7 Australian Capital Territory (ACT) public sector agencies (ACT Directorates) which examined whether they each had a data breach response plan that meets the requirements of the Territory Privacy Principles (TPPs), specifically TPP 11 contained in the Information Privacy Act 2014 (ACT)[1]. This summary report describes the assessment and provides a summary of the key findings.
Background
1.2 The Information Privacy Act regulates how personal information is handled by ACT agencies. This Act includes TPP 11 which requires ACT agencies to take reasonable steps to protect personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
1.3 The ACT Government has entered into a Memorandum of Understanding (MoU) with the OAIC for the provision of privacy services by the OAIC to ACT agencies.[2] Under the terms of this MoU, the Australian Information Commissioner (Commissioner) exercises some of the functions of the ACT Information Privacy Commissioner. These functions include conducting privacy assessments of the ACT agencies’ compliance with the TPPs.
1.4 The OAIC considers a data breach response plan as a reasonable step ACT agencies can take under TPP 11. However, having a plan to respond to data breaches will not, by itself, mean an ACT agency has taken reasonable steps to protect personal information. Further action may be needed to meet an ACT agency’s obligations under TPP 11. An effective data breach response plan can help ACT Agencies to contain data breaches and manage their response.
1.5 The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth) requires entities covered by the Privacy Act to notify individuals and the Commissioner about ‘eligible data breaches’. An eligible data breach occurs when all the following criteria are met:
- there is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur)
- this is likely to result in serious harm to any of the individuals to whom the information relates
- the entity has been unable to prevent the likely risk of serious harm with remedial action.
1.6 Under the Privacy Act, it is not mandatory for ACT agencies to comply with the NDB scheme, except where the ACT agency is a tax file number (TFN) recipient and experiences an eligible data breach involving TFN information. However, it is ACT Government policy[3] to voluntarily report any significant privacy data breaches to the OAIC. The OAIC has published a Guide[4] to preparing a data breach response plan that provides practical guidance for organisations and government agencies to develop a comprehensive and effective data breach response plan.
Objective and scope
1.7 The objective of this assessment was to examine whether the 7 ACT Directorates had a data breach response plan to assist with meeting the requirements of TPP 11.
1.8 The assessment considered how Directorates’ data breach response plans are operationalised, including whether the Directorate:
- has a plan to respond to data breaches that reflects the OAIC’s best practice guidance as a reasonable step under TPP 11
- has taken steps to operationalise the data breach response plan including training, testing, escalation, notification and governance.
Part 2: Summary of findings
Security of personal information
2.1 A data breach response plan enables an agency to respond quickly to a data breach. By responding quickly, an agency may reduce the likelihood of individuals affected by a data breach suffering harm. This also supports public confidence that personal information is being managed in accordance with community expectations.
2.2 The assessment found most (4) of the ACT Directorates’ had a data breach response plan in place that had been endorsed by the Executive of the Directorate. One Directorate provided a draft copy of their data breach response plan that was in the process of seeking endorsement from Executive at the time of this assessment. We assessed the draft data breach response plan in order to ensure that, when adopted, the new plan would meet best practice. For this Directorate, our assessment findings refer to the draft plan. Two Directorates’ submitted internal policy documents other than a data breach response plan, which contained limited data breach response details. For the 3 Directorates that did not have a data breach response plan in place, we recommended they implement a data breach response plan.
A data breach response plan is considered a reasonable step an agency can take to protect an individual’s information from misuse, interference or loss, and from unauthorised access, modification or disclosure.
2.3 As a data breach response plan sets out what needs to happen in the event of a data breach it is important for staff to be aware of where they can access the data breach response plan at short notice. A summary of data breach response plans and staff accessibility to the plans is listed at Table 1.
| ACT Directorate | Data breach response plan | Accessible to staff |
|---|---|---|
| Chief Minister, Treasury and Economic Development Directorate | ✔ | ✔ |
| Community Services Directorate | ✔ | ✔ |
| Health Directorate | ✔ | ✔ |
| Justice and Community Safety Directorate | ✔ | ✔ |
| Transport Canberra and City Services Directorate | Other internal policy (plan in draft) | ✔ |
| Education Directorate | Other internal policy | ✔ |
| Environment, Planning and Sustainable Development Directorate | Other internal policy | ✔ |
Escalation procedures
2.4 The data breach response plan should inform staff of escalation procedures for data breaches, and who staff should inform immediately if there is a suspected data breach. The most common best practice suggestions to ACT Directorates related to linking supporting documents within the data breach response plan for ease of access and providing a simplified flow chart or reference tool for readability.
2.5 The assessment found most (4) ACT Directorates’ data breach response plans contained clear escalation procedures and reporting lines for suspected data breaches.
Having a data breach response plan that includes procedures and clear lines of authority can assist an agency to quickly contain the breach and manage the response.
Roles and responsibilities
2.6 A data breach response plan is a framework that sets out the roles and responsibilities involved in managing a data breach. It should include who is responsible for deciding whether a breach should be escalated to a data breach response team.
2.7 Four of the Directorates’ data breach response plans (Table 2) nominated a senior executive member with overall responsibility for the data breach response and coordination of the data breach response team .
2.8 The assessment found that the majority (4) of Directorates’ data breach plans require some further information about their data breach response team, with team member details, reporting lines, roles and responsibilities missing. The assessment made 3 recommendations and a best practice suggestion in relation to roles and responsibilities.
| ACT Directorate | Data breach response team nominated members and contact details | Senior staff responsible for co-ordinating the response team | Senior staff with overall data breach response plan accountability | Staff with responsibility for day-to-day maintaining the plan |
|---|---|---|---|---|
| Chief Minister, Treasury and Economic Development Directorate | ✔ | ✔ | ||
| Community Services Directorate | ✔ | ✔ | ✔ | |
| Health Directorate | ✔ | ✔ | ✔ | |
| Justice and Community Safety Directorate | ✔ | ✔ | ||
| Transport Canberra and City Services Directorate | Other internal policy (plan in draft) | Other internal policy (plan in draft) | Other internal policy (plan in draft) | Other internal policy (plan in draft) |
| Education Directorate | Other internal policy | Other internal policy | Other internal policy | Other internal policy |
| Environment, Planning and Sustainable Development Directorate | Other internal policy | Other internal policy | Other internal policy | Other internal policy |
Responding to data breaches
2.9 While each data breach response needs to be tailored to the circumstances of the incident, in general, a data breach response should follow four key steps: contain, assess, notify and review. At any time, entities should take remedial action, where possible, to limit the impact of the breach on affected individuals.
Containing data breaches
2.10 The majority of the ACT Directorates’ (5) stated how the data breach response plan applies to various types of data breaches and varying risk profiles. The 5 data breach response plans included possible remedial actions that could be taken to contain the breach and prevent any further compromise of personal information or lessen the risk of harm or damage caused by a data breach.
Assessing data breaches
2.11 Five of the ACT Directorates’ data breach response plans included a structured approach for assessing a real or potential eligible data breach and set out timeframes in which the assessment would be conducted.
2.12 The OAIC recommended that 4 Directorates update their policy to include details of the types of external experts that may be needed for data breaches affecting certain categories of personal information, for example, data forensics or media management.
Notification obligations
2.13 Most data breach response plans (4) included processes that outline when and how an individual affected by an eligible data breach is notified.
2.14 The majority of the data breach plans (5) were found to require some further information regarding processes for responding to incidents that involve another entity (including requirements under agreements with third parties) such as processes for notification.
2.15 The assessment found that 4 of the data breach response plans require further information documenting the obligations under agreements with third parties, such as insurance policies or service agreements. The assessment made one recommendation and 3 best practice suggestions to Directorates regarding notification obligations.
Review of data breach response
2.16 Reviewing how an agency responds to a data breach incident can strengthen an agencies personal information security and handling practices and reduce the chance of the data breach reoccurring.
2.17 The assessment found 5 of the Directorates’ data breach response plans included some detail about a system for post-breach review and assessment of the data breach response and effectiveness of the data breach response plan.
2.18 Additionally, the 5 data breach response plans contained a strategy to identify and address weaknesses in data handling practices that may have contributed to the data breach.
Documentation, record keeping and review
2.19 The OAIC recommends that entities document the data breach assessment process and outcome. A data breach plan should include how a data breach incident is recorded, including those that are not escalated to the data breach response team.
2.20 Four of the Directorates’ data breach plans contained details about record keeping policies to ensure data breaches are documented.
2.21 Most (4) of the ACT Directorates’ data breach response plans were reviewed or revised within 2 years of the assessment. A future review date was included in 4 of the data breach response plans. Two Directorates had tested their plan in the last 12 months.
2.22 Three of the data breach plans included a future review date, with 1 indicating a future review date would be included once the document was endorsed.
A data breach response plan should include the planned schedule of reviewing and testing of the plan. The plan should also contain a system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan.
2.23 Table 3 is a summary of governance practices for data breach response plans.
| ACT Directorate | Record keeping | Date last reviewed | Future review date |
|---|---|---|---|
| Chief Minister, Treasury and Economic Development Directorate | ✔ | ✔ | ✔ |
| Community Services Directorate | ✔ | ||
| Health Directorate | ✔ | ✔ | ✔ |
| Justice and Community Safety Directorate | ✔ | ✔ | ✔ |
| Transport Canberra and City Services Directorate | Other internal policy (plan in draft) | Other internal policy (plan in draft) | Other internal policy (plan in draft) |
| Education Directorate | Other internal policy | Other internal policy | Other internal policy |
| Environment, Planning and Sustainable Development Directorate | Other internal policy | Other internal policy | Other internal policy |
Recommendations and next steps
2.24 In total 11 recommendations were identified during this assessment which have all been accepted by the ACT Directorates. The OAIC will follow up the implementation of the recommendations in this assessment in the next 12–18 months.
Methodology
2.25 The OAIC selected Directorates to be involved in the assessment in consultation with the ACT Justice and Community Safety (JACS) Directorate. The Directorates considered to be the most appropriate assessment targets because of the amount of personal information they handle.
2.26 ACT Government Directorates:
- ACT Health Directorate
- Chief Minister, Treasury and Economic Development Directorate
- Community Services Directorate
- Education Directorate
- Environment, Planning and Sustainable Development Directorate
- Justice and Community Safety Directorate
- Transport Canberra and City Services Directorate.
2.27 The assessment involved a questionnaire and desktop review of the selected Directorates’ data breach response plan as at December 2022. The OAIC considered each data breach response plan against the OAIC’s Guidance on Data breach preparation and response in 5 key areas:
- a clear explanation of what constitutes a data breach
- a strategy for containing, assessing, notifying and reviewing the data breach including –
- testing and review of the plans
- a clear and immediate communications strategy that allows for the prompt notification of affected individuals and other relevant entities (including voluntary reporting to the OAIC)
- the roles and responsibilities of staff including staff training
- documentation and review of the data breach
- governance including whether there is a data breach response team.
2.28 The findings in this report are based on the Directorates’ responses to the questionnaire and the content of the Directorates’ data breach response plan at the time the assessment was conducted.
2.29 As part of the assessment, the OAIC did not test examples of the operation of data breach response plans and the related practices, procedures and systems. For further information about the OAIC’s privacy assessments see the OAIC Guide to privacy regulatory action.
Footnotes
[1] Information Privacy Act 2014 (ACT)
[2] MoU with the ACT Government for privacy services
[3] ACT Cyber Security Policy, V3.1 Notification of Data Breaches Section
[4] The OAIC's Data breach preparation and response guide
