Data Breach Response Plan
Introduction
A data breach occurs where there is an unauthorised access to or disclosure of personal information held by the Court, or information is lost in circumstances where unauthorised access or disclosure is likely.
The consequences of a data breach can result in serious harm to any of the individuals to whom the information relates, may damage the reputation of the Court and leave the Court in breach of its obligations under the Privacy Act 1988 (Cth).
The Court is responsible for ensuring that all reasonable steps are taken to handle personal information in accordance with the Australian Privacy Protection Principles. This includes protecting personal information from misuse, interference and loss, and from unauthorised access, modification and disclosure.
In addition, to ensure that individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm, the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act requires entities, including the Court, to notify affected individuals and the Commissioner of eligible data breaches.
An eligible data breach occurs when a data breach is likely to result in serious harm to any of the individuals to whom the information relates and the entity has been unable to prevent the likely risk of serious harm with remedial action.
Purpose
The purpose of this Data Breach Response Plan is to set out the roles and responsibilities of Federal Court and Corporate Services staff involved in managing a data breach. The Plan also outlines to Federal Court and Corporate Services staff and stakeholders the processes established by the Court to contain, assess and manage a data breach and for deciding whether notification is necessary or desirable.
Report Data Breaches and Suspected Data Breaches
Any Court staff who suspect or become aware of a data breach should immediately report this to their managing supervisor, complete a Data Breach or Suspected Data Breach Incident Report (Annexure A) and forward that completed form to the Privacy Officer with a copy to their managing supervisor.
Where any suspected or known breach can be contained by taking immediate steps to limit any further access or distribution of the affected personal information, these steps should be taken. Of course, that action is not appropriate if it would compromise essential Court systems, or destroy evidence that may be valuable in identifying the cause of the breach, or that would enable the Court to address all risks posed to affected individuals or the Court.
Informing the Data Breach Response Team
On receiving a Data Breach or Suspected Data Breach Incident Report, or otherwise being notified of a data breach or suspected data breach, the Privacy Officer must inform the Data Breach Response Team, the CEO/Principal Registrar and the Chief Justice of the incident as well as any containment or remedial steps that have been taken or will be taken.
The Data Breach Response Team consists of the following:
- Privacy Champion (Chair);
- Chief Financial Officer;
- Chief Information Officer;
- Director Public Information;
- Privacy Officer; and
- any other person considered necessary by the Chair of the Data Breach Response Team.
Assessment
The Privacy Officer must undertake an assessment of the incident expeditiously. In assessing the incident the Privacy Officer must consider:
- the type or types of personal information involved in the data breach;
- the circumstances of the data breach, including its cause and extent; and
- the nature of the harm to affected individuals, and if this harm can be removed through remedial action.
The Privacy Officer must provide a draft report on the incident to the Data Breach Response Team. The draft report must include a draft finding as to whether the data breach is likely to result in serious harm to any of the individuals whose information was involved and whether notification is required pursuant to the NDB scheme or is otherwise desirable. The draft report should include recommendations as to how any notification is conducted as well as draft recommendations addressing the Courts ongoing review of the incident to improve its personal information handling practices.
Finalisation of the Report
The Data Breach Response Team is responsible for finalising the incident report and its recommendations and may amend the draft report and its recommendations accordingly and ask the Privacy Officer to address any issues of concern.
Approval of the CEO/Principal Registrar
The Chair of the Data Breach Response Team will present the finalised incident report to the CEO/Principal Registrar and seek approval for any recommended action within the report, including notification of individuals whose information was involved and the Information Commissioner pursuant to the NDB scheme or otherwise.
Notification of a Data Breach
In the event of a data breach, including a data breach that is not a notifiable data breach, consideration should be given by each of the Privacy Officer, the Data Breach Response Team and the CEO/Principal Registrar to notifying affected individuals, stakeholder organisations and the public. Any public announcement of a data breach should be timely, direct and explicit. Consideration should also be given to consulting external bodies as to the way that persons potentially affected by a data breach should be notified.
In addition, consideration should always be given to voluntarily notifying a data breach to the Office of the Australian Information Commissioner, notwithstanding that it is not an eligible data breach under the Data Breach Notification scheme in the Privacy Act.
Review of the Incident
The Data Breach Response Team is responsible for ensuring a thorough review is undertaken of the incident consistent with those actions approved by the CEO/Principal Registrar and ensuring necessary changes to reduce the chance of a reoccurrence and to strengthen the Court’s personal information security and handling practices.
At 31 July 2020
