Last updated: 18/12/2024

Policy statement

Our culture

Implementation date: 18/12/2024
Reference number: PD-2024-0485-12-V01.0.0
Publicly available: Yes
Policy cluster: People

Data breach

Direction and guidance on how the department identifies, responds to and manages a data breach involving personal information and/or health information.

Audience

All staff, including education support staff, school staff and principals.

Changes since previous update

Version	Date	Description of changes	Approved by
V01.0.0	18/12/2024	New policy document developed to clarify the department’s obligations under the Mandatory Notification of Data Breach Scheme (Part 6A of the Privacy and Personal Information Protection Act 1998 [NSW]).	Chief People Officer, People Group

About the policy

Policy requirements

This policy document:

applies to all actual and suspected data breaches involving personal information
supports the department’s obligations under the Mandatory Notification of Data Breach (MNDB) Scheme (Part 6A of the Privacy and Personal Information Protection Act 1998 [NSW] [PPIPA]).
supports the department’s obligations under the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) in the case of data breaches involving early childhood education or tax file numbers.

Staff should consult the Data breach response plan (staff only) on the department’s intranet for more detailed guidance on how to respond to a data breach.

Definitions

Term	Definition
Cyber incident	An occurrence or activity that may threaten the confidentiality, integrity or availability of a system or the information stored, processed or communicated by it.
Data breach	Occurs when either: there is unauthorised access to, or unauthorised disclosure of, personal information held by the department personal information held by the department is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur.
Data owner	The head of a business unit or their nominee who is responsible for managing the personal information that is the subject of the breach. For schools, the data owner is the principal or their nominee. For this Data breach policy, references to the data owner can also be considered to be references to the data steward (as referred to in the Enterprise data standards).
Eligible data breach (EDB)	A data breach where a reasonable person would conclude that the data breach is more likely than not to result in serious harm to an individual to whom the information relates.
Health Information	A particular kind of personal information, namely information or an opinion about an individual’s physical or mental health or a disability or the provision of a health service to an individual. It also includes an individual’s wishes about future healthcare.
MNDB Scheme	The Mandatory Notification of Data Breaches (MNDB) scheme (Part 6A of the Privacy and Personal Information Protection Act 1998 [PPIPA]). The MNDB scheme requires the assessment of whether a data breach is an EDB requiring mandatory notification to the Privacy Commissioner and affected individuals.
Personal information	Information or an opinion about an individual whose identity is apparent or can reasonably be ascertained either from: the information or opinion itself other means, such as combining the information or opinion. Any information about a reasonably identifiable individual is personal information. For this policy, personal information includes health information.
Suspected eligible data breach	A data breach that Legal Services considers to be a suspected EDB requiring a formal EDB Assessment. Flagging a data breach as a suspected EDB is distinct from the subsequent formal EDB Assessment and EDB Determination under sections 59G and 59J of the PPIPA.

Roles and responsibilities

Eligible data breach (EDB) assessor (Legal Officer, Senior Legal Officer or Principal Legal Officer):

assesses whether a suspected eligible data breach (EDB) is an actual EDB
in the case of confirmed EDBs, notifies the Privacy Commissioner and affected individuals.

EDB decision maker (Principal Legal Officer or Deputy General Counsel who has delegated responsibility from the Head of the Agency)

decides whether a suspected EDB is an actual EDB.

Data owner:

assists Legal Services with EDB assessments
reviews data breach incidents and may be asked to report back to Legal Services on harm minimisation steps and lessons learnt.

Staff:

must take reasonable steps to contain, mitigate and report data breaches in accordance with the department’s Data breach response plan (staff only)
must complete mandatory online data breach training.

What needs to be done

Staff must report suspected data breaches and work with Legal Services to respond to data breaches involving personal information and/or health information appropriately, as outlined in this policy.

The department seeks to negotiate contract terms that require service providers to:

comply with the Information Protection Principles and Health Protection Principles (or equivalent Australian Privacy Principles)
promptly report to the department any data breaches affecting the department
cooperate with the department in containing, mitigating, investigating and assessing data breaches.

1. Contain and mitigate a possible data breach

Staff who suspect a data breach has occurred:

must stop the breach and minimise its impact – for example, recall an email
may also need to alert affected individuals so they can take any necessary measures.

Refer to the toolkit in the Data breach response plan (staff only) for template letters and tips on recalling emails.

2. Report suspected data breaches

Staff must report suspected breaches by:

completing the Data breach incident notification form (staff only) (PDF 91 KB)

sending the form to Legal Services at DataBreach.ResponseTeam@det.nsw.edu.au (with a cc to cyber.investigations@det.nsw.edu.au).

3. Assess and investigate

3.1 Assess and record the incident

Once notified of a suspected data breach, Legal Services will triage the incident to determine:

whether it is a data breach
if it is a data breach, whether it is likely to cause serious harm to a person (suspected eligible data breach [EBD]).

If there has not been a data breach, Legal Services will inform the data owner and/or notifier.

If it is confirmed a data breach has occurred, Legal Services will enter all data breach incidents (including suspected and eligible data breach incidents) on the Data Breach Incident Register.

3.2. Investigate the incident

If the incident is determined to be a data breach or a suspected eligible data breach, Legal Services will investigate the incident in consultation with the relevant areas of the department, such as Cyber Security, to determine the most appropriate response, as outlined below.

A data breach

If the incident is confirmed to be a data breach only (not a suspected EDB) then Legal Services will contact the data owner and relevant stakeholders to:

check whether any additional harm minimisation steps can be taken
require the data owner and/or notifier to review the incident and report back on what steps have been or will be taken to minimise similar future incidents.

A suspected eligible data breach

If the incident is confirmed to be a suspected EDB (Legal Services suspects a likelihood of serious harm to any person) then Legal Services will:

appoint an EDB assessor to conduct a more formal EDB assessment
manage this assessment, either on its own or as part of a Data Breach Response Team (as outlined below).

Data owners must assist the assessor or the response team as required.

EDB assessors must complete their assessment as soon as possible. This must happen at least within 30 days of the initial report of the data breach having been received, unless the EDB decision maker extends this timeframe in accordance with the Mandatory Notification of Data Breaches (MNDB) scheme (refer to Data breach response plan [staff only]).

The EDB decision maker makes the final decision as to whether the suspected EDB is an EDB.

Data Breach Response Team

Legal Services may decide to establish a Data Breach Response Team, depending on the size and suspected severity of the incident.

The team (which may consist of only an EDB assessor and the data owner, but may include others as needed) will:

respond to and manage the incident in line with the Data breach response plan (staff only)
agree on a Data Breach Team Leader.

Other department areas will be included as needed, for example:

Cyber Security for cyber incidents
Media Unit for more complex, high-profile incidents.

All staff, including data owners, must assist the response team as needed to either:

implement the data breach response plan
provide information as required.

4. Notify appropriate agencies and individuals

If the formal EDB Assessment concludes there is a likelihood of serious harm to any individual, Legal Services (under the Mandatory Notification of Data Breaches [MNDB] scheme) must notify:

the Privacy Commissioner
affected individuals.

Legal Services will submit mandatory notifications.

Communications to affected individuals need to inform the individual without unnecessarily alarming them or releasing information that might breach their privacy. The approach will depend on the size and severity of the data breach. For further information, refer to the Data breach response plan (staff only).

For eligible data breaches where it is not practicable to notify individuals, the department will publish a notification on the Data Breach Public Notification Register.

Where applicable and depending on the severity of the eligible data breach, Legal Services will work with the Data Breach Response Team to notify external assistance bodies.

Examples of external assistance bodies

Legal Services, together with the Data Breach Response Team, may need to notify the following:

Cybersecurity NSW
iCare
IDCARE
ID Support
Privacy Commissioner
Law enforcement bodies
Other agencies affected by the breach.

5. Review the incident and response

Data owners and/or notifiers must review data breach incidents for:

lessons learned (which must be reported back to Legal Services)
opportunities to minimise the re-occurrence of similar incidents.

Outcomes might include changes in practices and further training for staff.

For major breaches, a more formal audit process may be required.

For more information on the review phase, refer to the Data breach response plan (staff only).

Record keeping requirements

Records of data breaches are stored and maintained in accordance with the department’s Records management procedures and the State Records Act 1998 (NSW). Legal Services maintain a log of data breaches on the department’s internal Data Breach Incident Register.

Mandatory tools and templates

Data breach incident notification form (staff only) (PDF 91 KB)
MyPL (staff only) (courses available from T1, 2025)
- Cyber Security and Data Breaches – PSSE
- Cyber Security and Data Breaches – School-based and ESS

Supporting tools, resources and related information

Supporting tools and resources

Related information

Commonwealth legislation:

Privacy Act 1988

NSW legislation:

Policies and standards:

Policy contact

Contact

Manager, Compliance and Privacy
legal.privacy@det.nsw.edu.au

Monitoring the policy

The Manager, Privacy and Compliance monitors the implementation of these standards, regularly reviews their contents to ensure relevance and accuracy, and updates them as needed.