Data Breach Standard

1. Purpose

Queensland Treasury Corporation (QTC) is committed to safeguarding its data, including personal information, by protecting it from loss, unauthorised access, misuse, or disclosure. This Standard outlines QTC’s process for managing, assessing, and mitigating the impact of a data breach in compliance with the Mandatory Notification of Data Breach (MNDB) scheme under the Information Privacy Act 2009 (Qld) (IP Act).

Data breaches are a category of incident and are managed in accordance with QTC’s Incident Management Procedure. Data breach‑specific response and notification requirements are set out in supporting plans and procedures.

2. Scope

This Standard applies to and must be adhered to by:

• all QTC staff
• any consultants and persons or organisations authorised to administer, develop, manage and support QTC’s information systems and assets, and
• third party suppliers, vendors and contractors.

All staff have a responsibility to notify the Director of Security Operations of any data breach immediately after becoming aware that a data breach may have occurred and provide information about the data breach in accordance with QTC’s Data Breach Incident Response Plan.

3. What is a data breach

A data breach occurs where there is:

• unauthorised access to, or unauthorised disclosure of, personal or confidential information, or
• the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur.

A data breach may be caused by malicious action, human error, or a failure in information handling or security systems.

Examples of data breaches include:

• loss or theft of physical devices (such as laptops and mobile phones) or paper records that contain personal information
• unauthorised access to personal information by a QTC staff member, for example gaining access to a system or database that you are not authorised to access whether intentionally or unintentionally
• a QTC staff member accidentally sends an email containing sensitive personal information to the wrong recipient
• someone impersonates a trusted individual or organisation to trick a staff member into revealing confidential personal information
• unintentional mishandling of personal information due to lack of training/awareness, for example, not setting up an Information Barrier when required or not adhering to QTC’s “need to know” policy, and
• a third-party service provider or contractor working with QTC experiences a data breach, exposing QTC’s data held by them.

3.1 What is an eligible data breach

The MNDB Scheme applies where an eligible data breach has occurred.

For a data breach to be considered an “eligible” data breach under the MNDB scheme, there are two tests to be satisfied:

1. there has been unauthorised access to, or unauthorised disclosure of, personal information held by QTC, or there is a loss of personal information held by QTC in circumstances where unauthorised access to, or unauthorised disclosure of, the information, and
2. the unauthorised access to, or disclosure of the information is likely to result in serious harm to an individual to whom the personal information relates (an ‘affected individual’).

QTC recognises that the harm which can potentially arise from a data breach will vary based on the nature of the personal information involved and the context of the breach. Serious harm is defined in schedule 5 of the IP Act as including:

• serious physical, psychological, emotional, or financial harm to the individual because of the access or disclosure, or
• serious harm to the individual’s reputation because of the access or disclosure.

Examples of harms include:

• identity theft
• financial loss
• threats to personal safety
• loss of business or employment opportunities
• humiliation and embarrassment
• damage to reputation or relationships, and
• discrimination, bullying, or other forms of disadvantage or exclusion.

Whether a data breach is ‘likely to result’ in serious harm requires that the risk of serious harm to an individual be more than merely possible; it must be more probable than not to occur. QTC will objectively test whether a data breach is likely to result in serious harm, the outcome of each test will be determined on the facts of the specific breach.

4. What QTC will do

If QTC reasonably suspects, but is not certain, that a data breach may qualify as an eligible data breach, it must assess whether there are reasonable grounds to confirm this. The assessment must be completed within 30 days unless an extension is required. If QTC cannot finalise the assessment within the 30-day timeframe, it may extend the period by a reasonable amount of time necessary to complete the process. However, this extension is subject to providing written notice to the Queensland Information Commissioner.

4.1 Process for managing a data breach

QTC has implemented robust security measures to safeguard the data it holds against loss, unauthorised access, use, modification, or disclosure. To effectively prevent and manage data security risks, QTC has established a comprehensive suite of policies and procedures.

As part of its approach, QTC has developed the Information Security Incident Response Plan, which provides detailed guidance on managing data breaches in line with this statement. This plan is reviewed every two years to maintain its relevance and effectiveness.

The Information Security Incident Response Plan aligns with this statement and the QTC Privacy Policy, as outlined on the QTC website, and applies to all QTC staff. Additionally, QTC has implemented information and data management policies to guide staff on the proper handling and storage of information, including personal information. For example, the Data, Information, and Records Management Procedure includes specific provisions addressing confidentiality, misuse, security, and the management of records.

4.1.1 Data breach notification requirements

Where QTC suspects that there has been an eligible data breach involving personal information held by QTC, it must:

• prepare a statement which includes the information stated in section 51(2) of the IP
• give the statement to the QLD Information Commissioner, and
• notify any individuals affected by the breach, including the information stated in section 53(2) of the IP Act.

4.1.2 Data breaches affecting another agency

Should QTC become aware that an eligible or suspected eligible data breach may affect another agency, we must give the other agency a written notice of the data breach that includes:

• a description of the data breach, and
• a description of the kind of personal information involved in the data breach, without including any personal information in the description.

4.1.3 QTC vendors

Where contractual arrangements require, vendors providing goods or services to QTC are obligated to notify QTC of any data breach that contains personal information and assist QTC to meet its MNDB requirements.

4.1.4 Where we may not notify

QTC may not notify individuals in certain circumstances including:

• where multiple agencies are involved in an eligible data breach and one of those agencies has already provided notification
• where an eligible data breach would prejudice an ongoing investigation that could lead to the prosecution of an offence or proceedings before a court or tribunal
• where compliance would worsen QTC’s cyber security or lead to further data breaches
• where QTC has taken action before the data breach results in harm or loss to individuals, or
• compliance would be inconsistent with a provision of an Act of the Commonwealth or a State that prohibits or regulates the use or disclosure of the information.

4.2 Record keeping requirements

Records of data breaches are stored and maintained in accordance with QTC’S records management policies and procedures. The Compliance team coordinates record keeping for each data breach, including maintenance of the QTC Data Breach Register.

4.2.1 Data breach register

QTC maintains an internal register for data breaches, including eligible data breaches. For eligible data breaches where QTC is unable or it is not practicable to notify individuals, QTC will publish a notification on its website www.qtc.com.au.

The Data Breach Register is a requirement under the MNDB Scheme and will include the following details:

• a description of the eligible data breach, including the type of data breach
• the date QTC gave a statement to the Queensland Information Commissioner about the eligible data breach and the date any additional information was provided to the Commissioner
• where individuals were directly notified about the eligible data breach, the register must include the individuals who were notified, the date and method by which they were notified
• where QTC has relied on an exemption, exempting notification to either the Information Commissioner or individuals, details of the exemption
• details of steps taken by QTC to mitigate harm done by the breach, and
• details of the actions taken QTC to prevent future breaches of a similar kind occurring.

4.3 QTC staff awareness

To ensure that QTC staff are and remain aware of their obligations under the MDNB Scheme, QTC will:

• prepare and notify staff of its Data Breach Notification Management Plan and publish it and any additional relevant awareness material on its intranet
• undertake an awareness campaign on this Policy and our Information Security Incident Response Plan to ensure QTC staff understand their privacy obligations, and
• provide refresher and on-the-job training as required.

5. Reporting

If you suspect that your personal information has been breached by QTC or any of its contractors or vendors, you can contact the QTC Compliance team at compliance@qtc.com.au.

6. Roles and responsibilities

7. Definitions