Data Breach Policy
Introduction
Queensland Treasury Corporation (QTC) is committed to safeguarding its data, including personal information, by protecting it from loss, unauthorised access, misuse, or disclosure. This policy outlines QTC’s process for managing, assessing, and mitigating the impact of a data breach in compliance with the Mandatory Notification of Data Breach (MNDB) scheme under the Information Privacy Act 2009 (Qld) (IP Act).
Policy
It is the responsibility of every QTC staff member to protect the information QTC holds. QTC is committed to the effective management of any data breaches, including the following:
- QTC recognises the value and importance of responding to suspected or actual data breaches quickly and efficiently.
- QTC will take all reasonable and necessary steps to contain data breaches and minimise the harm to impacted individuals.
- QTC employs various measures to ensure data security and compliance with privacy obligations. These measures include staff training, developing processes and policies, and ongoing attestation of these obligations.
- QTC will ensure there are security safeguards in place, as are reasonable in the circumstances, to protect against loss of personal information, unauthorised access, use, modification or disclosure, and any other misuse.
- QTC staff, contractors and vendors have a responsibility to report actual or suspected data breaches in a timely manner.
Scope
This Policy applies to and must be adhered to by:
- all QTC staff
- any consultants and persons or organisations authorised to administer, develop, manage and support QTC’s information systems and assets; and
- third party suppliers, vendors and contractors
All staff have a responsibility to notify the Director of Cyber Risk and Strategy of any data breach immediately after becoming aware that a data breach may have occurred and provide information about the data breach in accordance with QTC’s Data Breach Response Plan.
What is a data breach
A data breach occurs where there is:
- unauthorised access to, or unauthorised disclosure of, personal or confidential information.
- the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur.
- A data breach may be caused by malicious action, human error, or a failure in information handling or security systems.
Examples of data breaches include:
- loss or theft of physical devices (such as laptops and mobile phones) or paper records that contain personal information
- unauthorised access to personal information by a QTC staff member, for example gaining access to a system or database that you are not authorised to access whether intentionally or unintentionally
- a QTC staff member accidentally sends an email containing sensitive personal information to the wrong recipient.
- someone impersonates a trusted individual or organisation to trick a staff member into revealing confidential personal information
- unintentional mishandling of personal information due to lack of training / awareness. For example, not setting up an Information Barrier when required or not adhering to QTC’s “need to know” policy.
- a third-party service provider or contractor working with QTC experiences a data breach, exposing QTC’s data held by them
What is an eligible data breach
The MNDB Scheme applies where an eligible data breach has occurred.
For a data breach to be considered an “eligible” data breach under the MNDB scheme, there are two tests to be satisfied:
- There has been unauthorised access to, or unauthorised disclosure of, personal information held by QTC, or there is a loss of personal information held by QTC in circumstances where unauthorised access to, or unauthorised disclosure of, the information, and
- The unauthorised access to, or disclosure of the information is likely to result in serious harm to an individual to whom the personal information relates (an ‘affected individual’).
QTC recognises that the harm which can potentially arise from a data breach will vary based on the nature of the personal information involved and the context of the breach. Serious harm is defined in schedule 5 of the IP Act as including:
- serious physical, psychological, emotional, or financial harm to the individual because of the access or disclosure; or
- serious harm to the individual’s reputation because of the access or disclosure.
Whether a data breach is ‘likely to result’ in serious harm requires that the risk of serious harm to an individual be more than merely possible; it must be more probable than not to occur. QTC will objectively test whether a data breach is likely to result in serious harm, the outcome of each test will be determined on the facts of the specific breach.
Assessment timeframes
If QTC reasonably suspects, but is not certain, that a data breach may qualify as an eligible data breach, it must assess whether there are reasonable grounds to confirm this. The assessment must be completed within 30 days unless an extension is required. If QTC cannot finalise the assessment within the 30-day timeframe, it may extend the period by a reasonable amount of time necessary to complete the process. However, this extension is subject to providing written notice to the Queensland Information Commissioner.
Process for managing a data breach
QTC has implemented robust security measures to safeguard the data it holds against loss, unauthorised access, use, modification, or disclosure. To effectively prevent and manage data security risks, QTC has established a comprehensive suite of policies and procedures.
As part of its approach, QTC has developed a Data Breach Incident Response Plan, which provides detailed guidance on managing data breaches in line with this policy. This plan is reviewed every two years to maintain its relevance and effectiveness.
The Data Breach Incident Response Plan aligns with this policy and the QTC Privacy Policy, as outlined on the QTC website, and applies to all QTC staff. Additionally, QTC has implemented information and data management policies to guide staff on the proper handling and storage of information, including personal information. For example, the Data, Information, and Records Management Procedure includes specific provisions addressing confidentiality, misuse, security, and the management of records.
Roles and responsibilities
The table below outlines responsibilities across QTC.
| Role | Responsibilities |
|---|---|
| All QTC Staff | All QTC staff are responsible for managing information and data in accordance with this policy and must immediately report a suspected or actual data breach to their manager or Director of Cyber Risk and Strategy for further investigation. |
| QTC Information Security Incident Response Team ( ISIRT) | A ISIRT may be stood up by Director of Cyber Risk and Strategy to respond to complex data breaches. The ISIRT is constituted in accordance with the Data Breach Incident Response Plan and may be scaled depending on the nature of data breach, the resources required to respond, and the number of clients and/or agencies affected. It may be made up of QTC staff from across the organisation as well as other agencies if required. The ISIRT will act as the single point of management of any breach and the head of the ISIRT will determine the need for and provide where necessary any notification to the QLD Information Commissioner. |
| Leaders | Leaders should keep themselves abreast of related policies and procedures while ensuring staff under their supervision aware of their obligations to report data breaches. Leaders must notify the Director of Cyber Risk and Strategy of suspected or actual data breaches. |
| Privacy Officer | The Privacy Officer is the central contact point in all matters related to privacy. In the event of a data breach, the Privacy Officer manages the relevant area’s breach response and provides advice to the Leader throughout the process. |
| Director of Compliance | It is the Director of Compliance or their delegates responsibility to assess whether the breach is an eligible data breach and if so, notify the QLD Information Commissioner and affected individuals. |
Data breach notification requirements
Where QTC suspects that there has been an eligible data breach involving personal information held by QTC, it must:
- prepare a statement which includes the information stated in section 51(2) of the IP.
- give the statement to the QLD Information Commissioner, and
- notify any individuals affected by the breach, including the information stated in section 53(2) of the IP Act.
Data breaches affecting another agency
Should QTC become aware that an eligible or suspected eligible data breach may affect another agency, we must give the other agency a written notice of the data breach that includes:
- a description of the data breach, and
- a description of the kind of personal information involved in the data breach, without including any personal information in the description.
QTC vendors
Vendors providing goods or services to QTC are obligated to notify QTC of any data breach that contains personal information and must provide assistance to QTC so that it may meet its MNDB requirements.
Where we may not notify
QTC may not notify individuals in certain circumstances including:
- where multiple agencies are involved in an eligible data breach and one of those agencies has already provided notification.
- where an eligible data breach would prejudice an ongoing investigation that could lead to the prosecution of an offence or proceedings before a court or tribunal.
- where compliance would worsen QTC’s cyber security or lead to further data breaches.
- where QTC has taken action before the data breach results in harm or loss to individuals.
- compliance would be inconsistent with a provision of an Act of the Commonwealth or a State that prohibits or regulates the use or disclosure of the information.
Record keeping requirements
Records of data breaches are stored and maintained in accordance with QTC’S records management policies and procedures. The Compliance team coordinates record keeping for each data breach, including maintenance of the QTC Data Breach Register.
Data breach register
QTC maintains an internal register for data breaches, including eligible data breaches. For eligible data breaches where QTC is unable or it is not practicable to notify individuals, QTC will publish a notification on its website www.qtc.com.au
The Data Breach Register is a requirement under the MNDB Scheme and will include the following details:
- a description of the eligible data breach, including the type of data breach.
- the date QTC gave a statement to the QLD Information Commissioner about the eligible data breach and the date any additional information was provided to the Commissioner.
- where individuals were directly notified about the eligible data breach, the register must include the individuals who were notified, the date and method by which they were notified.
- where QTC has relied on an exemption, exempting notification to either the Information Commissioner or individuals, details of the exemption.
- details of steps taken by QTC to mitigate harm done by the breach.
- details of the actions taken QTC to prevent future breaches of a similar kind occurring.
QTC Staff Awareness
To ensure that QTC staff are and remain aware of their obligations under the MDNB Scheme, QTC will:
- prepare and notify staff of its Data Breach Response Plan and publish it and any additional relevant awareness material on its intranet
- undertake an awareness campaign on this Policy and our Data Breach Response Plan to ensure QTC staff understand their privacy obligations; and
- provide refresher and on-the-job training as required
Contact information
If you suspect that your personal information has been breached by QTC or any of its contractors or vendors, you can contact the QTC Compliance team at compliance@qtc.com.au.
Definitions
The definitions apply to this policy and any related policy documents.
| Obligation | A requirement of an organisation imposed by an external source (e.g. legislation, or Queensland Government requirement) or imposed by the organisation’s governing body or management (influenced by external sources). |
| MNDB scheme | Mandatory Notification of Data Breach scheme |
| Personal Information | Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—
(a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not. |
| Personal Information ‘held’ by QTC | Personal information is held by QTC, or QTC holds personal information, if the personal information is contained in a document in the possession, or under the control, of QTC. |
| Serious Harm | Serious harm is defined in schedule 5 of the IP Act as including:
(a) serious physical, psychological, emotional, or financial harm to the individual because of the access or disclosure; or (b) serious harm to the individual's reputation because of the access or disclosure. |
| Likely to result | 'Likely to result’ requires that the risk of serious harm to an individual be more than merely possible; it must be more probable than not to occur. |