Data breach policy

• handle personal information consistently with the IP Act and this Policy; and
• identify and immediately report actual or suspected data breaches involving personal information to the Corporate Services Manager in accordance with this Policy.

• collaborate with the Corporate Services Manager to take containment and mitigation action (immediately and on an ongoing basis as needed);
• undertake additional internal escalation reporting as needed (e.g. Legal, Compliance and Investigations Unit);
• provide information for assessment and internal reporting;
• engage with any service providers (if needed); and
• implement permanent prevention methods (if needed).

• collaborate with business area on containment and mitigation;
• undertake / recommend additional internal escalation/ reporting as needed (e.g. Legal, Compliance and Investigations Unit);
• assess severity of data breaches, including those involving personal information and the likelihood a breach will result in serious harm to an individual (eligible data breach); and
• maintain BPEQ's register of eligible data breaches.

Assist the Corporate Services Manager with the responsibilities above.

BPEQ employees to immediately contact the Corporate Services Manager when becoming aware that a data breach may have occurred and provide information.

Any report to the Corporate Services Manager should include details about the data breach, including the nature of the information subject to the breach such as personal information and circumstances surrounding the data breach to inform containment/ mitigation actions and assessment.

This stage involves the appropriate allocation and escalation of the matter. This includes setting up a Data Breach Response Team, which may involve engaging and managing external experts.

The Data Breach Response Team will establish a proactive and reactive communication strategy and consider any immediate notifications.

The Data Breach Response Team will coordinate the following:

• take all reasonable steps to immediately contain the breach;
• mitigate any possible damage to BPEQ and/or affected individuals; and
• stop the breach from occurring again.

The above may involve:

• making efforts to recover the personal information;
• securing, restricting access to, or shutting down breached systems;
• suspending the activity that led to the data breach; and
• revoking or changing access codes or passwords.

In determining the appropriate containment or mitigation actions, the Data Breach Response Team should consider the following questions:

• what happened to cause the data breach, and can interim controls be implemented?
• Does BPEQ need to work with any third parties or service providers to investigate and resolve the data breach?
• Can the personal information be recovered?
• Can the personal who has received personal information incorrectly, be contacted?
• Can the system which has been breached be shut down?

This stage may also involve communications with other parties if they are involved in the containment of a data breach. The Corporate Services Manager will also be responsible for coordinating any internal advice and assistance, such as, for example, assistance from BPEQ's shared services provider (Corporate Administration Agency) or cyber security unit in containing and mitigating the data breach.

Undertake a fulsome assessment of the breach to determine if it is an eligible data breach. This will involve an assessment of the severity of the breach and the likelihood that the breach will result in serious harm to an individual to whom the information relates. This assessment must be completed within 30 days of forming a reasonable suspicion of a data breach. If BPEQ is satisfied that it will not be able to complete the assessment in 30 days, it can extend that time under section 49 of the IP Act.

The following matters should be considered when assessing the breach:

• What is the nature of the breach?
• Is a counterparty or other third party likely to have caused the breach?
• How serious is the breach? What type of personal information is involved?
• Who is affected by the breach and what is the likelihood of serious harm to the affected individuals? Is there an eligible data breach? If so, should any notifications occur?
• Has the breach affected another agency?
• Should BPEQ contact any other internal or external subject matter experts (e.g. technical investigators or auditors or Legal, Compliance and Investigations)?
• What steps should be taken by the agency to minimize or avoid any potential harm to individuals?

If BPEQ reasonably believes that there has been an eligible data breach, it must, as soon as practicable:

• Prepare a statement about the eligible data breach in accordance with section 51 and provide that statement to the Information Commissioner;
• If one of the exemptions apply BPEQ may not be required to comply with the notifications requirements. See Division 3 of the MNDB Scheme;
• Notify affected individuals about the eligible data breach as soon as reasonably practicable; and
• Provide further information to the Information Commissioner.

BPEQ may also be required to notify the Australian Information Commissioner under the Privacy Act if the data breach includes TFNs.

Notification to individuals will be determined by a harm and risk assessment. If there is a foreseeable risk of harm, notification should occur unless the notification is likely to cause more harm than it would alleviate. It is critical to document the decision-making process here (including an assessment of impacted human rights).

The method of notifying affected individuals/organisations will depend in large part on the type and scale of the breach, as well as immediately practical issues such as having contact details for the affected individuals/organisations. Considerations include the following:

• When to notify: Individuals/organisations affected by a data breach will be notified as soon as practicable. However, practical factors are also recognised. It is best to avoid premature notifications before BPEQ has sufficient information. This is because, if not enough information is known, general letters with little information may cause unnecessary harm, panic, and concern.
• How to notify: BPEQ will take reasonable steps to notify each individual or each affected individual directly – by telephone, letter, email or in person. If BPEQ cannot directly notify each individual or each affected individual, it will publish the required information on BPEQ's website for a period of at least 12 months, in accordance with section 53(1)(c) of the IP Act.
• What to include: Sections 51(2) and 53(2) of the IP Act set out the specific information that a notification to the information commissioner and individual/s must include, to the extent it is reasonably practicable:
  • the date that the breach occurred, how the breach occurred and a description of the type of eligible data breach (e.g. access, disclosure or loss), including the number of people impacted by the data breach;
  • the personal information included in the breach;
  • the amount of time the personal information was disclosed for;
  • actions that have been taken or are planned to secure the information, or to control and mitigate the harm;
  • recommendations about the steps an individual should take in response to the breach;
  • information about complaints and reviews of agency conduct;
  • the name of the agencies that were subject to the breach;
  • contact details for the agency subject to the breach or the nominated person to contact about the breach; and
  • the number of people who will be notified about the data breach and whether those people have been advised of their rights to make a privacy complaint to the agency.

In this stage, BPEQ will also consider:

• other legal obligations requiring notification of a breach outside of the IP Act; or
• for non-eligible data breaches, BPEQ may in its discretion consider voluntary data breach notification to the Information Commissioner, affected individuals and others.

BPEQ will develop a complaint response strategy for privacy complaints. Please refer to section 9 Complaints in BPEQ's Privacy Policy for information about how to make a complaint about a privacy breach.

To understand what BPEQ needs to do to remediate the breach, it may need to obtain expert advice to consider the following:

• the steps required to resolve the incident;
• the reasonableness of what happened;
• what changes/controls will prevent or reduce risk of reoccurrence; and
• costs associated with remediation.

This stage may involve third party engagement.

BPEQ is committed to implementing key learnings from a data breach incident to ensure that BPEQ's systems, policies and procedures are fit for purpose and that appropriate preventative measures are in place.

As part of preventing future breaches, BPEQ should consider the following questions to take the following actions:

• Can BPEQ provide training to its employees?
• What was the root cause of the data breach?
• Can BPEQ update its existing internal processes?
• Does BPEQ's internal register of eligible data breaches illustrate any reoccurring issues?

Can BPEQ permanently implement any of the interim containment or mitigation actions taken in response to the breach?

BPEQ will:

• Keep records of the data breach, including the assessment about whether a data breach is an eligible data breach, consistent with BPEQ's obligations to maintain public records in accordance with the Public Records Act 2023;
• Maintain an internal register of any eligible data breaches in accordance with section 72 of the IP Act.

BPEQ holds personal information securely and takes reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.