Our Data breach policy and procedure

Our commitment to you

The National Injury Insurance Scheme Queensland Agency (NIISQ Agency) is committed to protecting your privacy. We recognise the importance of your privacy and understand that people are concerned about the security and confidentiality of their personal information.

The NIISQ Agency owes an obligation of privacy to every individual it holds personal information about. We are committed to appropriately identifying, containing, and assessing data breaches. The purpose of this data breach policy is to explain how the NIISQ Agency manages and responds to data breaches.

What legislation applies to us?

Personal information is any information or opinion which identifies an individual or allows an individual to be reasonably identified. The Information Privacy Act 2009 (IP Act) outlines the rules we must comply with when handling personal information. These rules include the Queensland Privacy Principles (QPPs) and also a mandatory notification scheme for eligible data breaches (Notification Scheme). The QPPs tell us how we can collect, use, disclose, secure, and destroy your personal information. The Notification Scheme tells us how to manage eligible data breaches.

We handle your personal information in accordance with the IP Act, including the Notification Scheme.

• What is a data breach?

  A data breach means either of the following occurring in relation to information we hold:

  • unauthorised access to, or unauthorised disclosure of, the information
  • the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur.

  We hold personal information if it is contained in a document in our possession (e.g. documents stored in our records management system) or under our control (e.g. documents possessed by our third party contracted services providers).

  What is unauthorised access or disclosure?

  Access or disclosure will be unauthorised if the information we hold is accessed or disclosed without proper permission, licence, or legitimate purpose, whether that happens intentionally or unintentionally. A lack of authorisation could occur within our agency, between agencies, or external to our agency. Access and disclosure are not mutually exclusive events. Unauthorised access to information, and unauthorised disclosure of information, will be a data breach.

  What is loss of information?

  We hold information if it is in a document that we possess or control. We have lost that information if we no longer have possession or control of the document, whether that loss happens deliberately or accidentally. Loss of information will be a data breach if the loss is likely to result in unauthorised access to, or unauthorised disclosure of, the information.

  What are some examples of data breaches?

  A data breach may occur:

  • internal to our agency e.g. if a staff member browses agency records relating to a family member without a legitimate purpose
  • between government agencies e.g. if our agency provides lawful access to our information for a joint government project and an officer from the other agency uses the information for something other than the project
  • outside our agency e.g. if our information held in a database is compromised during a cyberattack and accessed by a malicious third party / threat actor.

• What is an eligible data breach?

  An eligible data breach means both of the following occurring in relation to information we hold:

  • there is a data breach involving personal information
  • the data breach is likely to result in serious harm to an individual to whom the personal information relates.

  If serious harm is more likely than not to affect a person, or a subset of people, impacted by a data breach involving their personal information, then the data breach will be an eligible data breach.

  As noted above, we hold personal information if it is in a document in our possession, e.g. documents stored in our records management system, or under our control, e.g. documents possessed by our third party contracted services providers.

  What is serious harm?

  Serious harm includes:

  • serious physical, psychological, emotional, or financial harm to the individual because of the access or disclosure
  • serious harm to the individual’s reputation because of the access or disclosure.

  Serious harm occurs where the harm caused by the data breach has, or may, result in a real and substantial detrimental effect to an individual. The effect on an individual must be more than mere irritation, annoyance, or inconvenience. Examples of harms include:

  • identity theft
  • financial loss
  • threats to personal safety
  • loss of business or employment opportunities
  • humiliation and embarrassment
  • damage to reputation or relationships
  • discrimination, bullying, or other forms of disadvantage or exclusion.

  If there are reasonable grounds to believe that the data breach has resulted in, or is likely to result in, serious harm to one or more of the individuals to whom the information relates, the data breach is considered an “eligible data breach”.

  What factors do we consider when assessing serious harm?

  We will consider the following matters when assessing serious harm:

  • the kind of personal information accessed, disclosed or lost
  • the sensitivity of the personal information
  • whether the personal information is protected by security measures
  • if the personal information is protected security measures, the likelihood those measures could be overcome
  • the persons, or kinds of persons, who have obtained, or who could obtain, the personal information
  • the nature of the harm likely to result from the data breach
  • any other relevant matter.

  We may also consider the following additional relevant matters:

  • the amount of time the personal information was exposed or accessible
  • the circumstances of the individuals affected and their vulnerability or susceptibility to harm, that is, if any individuals are at heightened risk of harm or have decreased capacity to protect themselves from harm
  • the circumstances in which the breach occurred
  • actions we may have taken to reduce the risk of harm following the data breach.

• What are our obligations under the Notification Scheme?

  If we know, or if we reasonably suspect, that a data breach is an eligible data breach then we must:

  • immediately, and continue to take all reasonable steps to:
    • contain the data breach
    • mitigate the harm caused by the data breach
  • if we are uncertain about whether the data breach is eligible, assess within 30 days, whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency.

  If we know, or reasonably believe, that a data breach is an eligible data breach then we must, as soon as practicable:

  • notify the Information Commissioner
  • notify particular individuals.

  If we become aware that an eligible data breach may affect another government agency, we must tell that agency.

• Who is responsible for handling data breaches?

  The NIISQ CEO is ultimately responsible for agency compliance with the IP Act, including the Notification Scheme. The NIISQ RTI and Privacy Officer manages our privacy function. Our ICT team manage our information security and cyber function, including requirements under the Queensland Government information security policy IS18. This role is performed in collaboration with Queensland Treasury’s (QT) Information Services team due to our shared corporate services arrangement. Each data breach will need to be considered by the Agency on a case-by-case basis, including to assess whether personal information is impacted by the data breach and the notifications that may be warranted.

  All of employees have a responsibility to ensure personal information they handle in the performance of their duties is managed in accordance with the IP Act. This includes completing data privacy training to enable them to appropriately identify, escalate, and investigate data breaches. A high-level overview of responsibilities within the agency is below.

  Persons	Responsibilities
  All internal agency officers	handle personal information consistently with the IP Act identify, escalate, and report data breaches to their managers, to the RTI and Privacy Officer to assess suspected eligible data breaches and to Information Services to assess security incidents
  Business area impacted by breach	collaborate with the RTI and Privacy Officer and/or ICT team, if needed, to take containment and mitigation action (must be undertaken immediately and on an ongoing basis as needed) provide information needed for assessment and internal reporting engage with any service providers, if needed implement permanent prevention methods, if needed consider any notifications required under contracts, memorandums of understanding or service level agreements, or legislation other than the IP Act or Commonwealth Privacy Act, if needed
  RTI and Privacy Officer	collaborate with business areas on containment and mitigation action undertake or recommend additional internal escalation/reporting as needed, e.g. Corporate Governance, People and Safety, ICT assess breach to see if it may be an eligible data breach that requires mandatory notification under the Notification Scheme in the IP Act or the Commonwealth Privacy Act
  Corporate Governance team	maintain a Register of Eligible Data Breaches provide a quarterly report to ELT and the Risk and Audit Committee on data breaches and eligible data breaches
  ICT team (supported by QT Information Services team)	handle management of security incidents, including any processes or notifications required under information security policy IS18 support data breach assessments under the IP Act and Notification Scheme (and Commonwealth Privacy Act) and help to implement any containment, mitigation, or prevention steps, if needed
  General Manager, Business and Advisory Services	determine if notifications to Information Commissioner, individuals, another agency, or any other entity is warranted in the circumstances determine if external advisers or investigators are warranted report to agency senior executives and CEO, as needed
  CEO	undertake any notifications about the breach on behalf of agency foster a privacy-conscious culture within the agency

• How do we identify, contain, and assess data breaches?

  Responding to a data breach will be conducted on a case-by-case basis to account for the varied types of data breaches that may occur. However, the NIISQ Agency’s strategy for responding to data breaches will generally cover the following steps:

  • step 1 – identify and escalate the data breach
  • step 2 – contain and mitigate the data breach
  • step 3 – assess the likelihood of serious harm from the data breach
  • step 4 – notify people about the data breach, where required or otherwise warranted
  • step 5 – implement preventative actions to minimise the likelihood of a similar data breach reoccurring.

  Every officer in our agency has a responsibility to identify, escalate, and manage data breaches.

  Step 1: How do we escalate data breaches?

  When a data breach is identified, internal staff are expected to report that breach to their managers and the RTI and Privacy Officer for assessment under the Notification Scheme and to the ICT team for assessment as a security incident.

  Additionally, when a data breach is identified and it is reasonably believed or suspected that potential serious misconduct by a NIISQ Agency employee may have caused or contributed to the data breach, it must be reported to the CEO, NIISQ Agency.

  External entities, including other agencies, third parties, or members of the public, may report a data breach by emailing the NIISQ RTI and Privacy Officer at privacy@niis.qld.gov.au if the breach relates to the Agency.

  The RTI and Privacy Officer will undertake or recommend any additional escalations/reports under privacy legislation, and the ICT team will undertake any processes or notifications required under information security policy IS18.

  Any report to the RTI and Privacy Officer will need to include details about the personal information involved in the breach and the circumstances surrounding the breach, to inform our containment/mitigation actions and our assessment.

  Step 2: What do we do to contain and mitigate a data breach?

  At this stage of a breach, we are taking steps to limit the extent and duration of the breach, and make any effects from the breach less harmful. We may take the following actions to contain and mitigate a data breach:

  • considering if personal information is impacted by the data breach
  • making efforts to recover the personal information
  • securing, restricting access to, or shutting down breached systems
  • suspending the activity that led to the data breach
  • revoking or changing access codes or passwords.

  The business group impacted by the data breach will collaborate as needed with the RTI and Privacy Officer and the ICT team to take any containment and mitigation actions.

  We have an immediate and ongoing obligation to contain the data breach and mitigate any harm while we manage our assessment of, and response to, the data breach.

  To determine the appropriate containment or mitigation actions, we may consider the following questions.

  • What happened to cause the data breach, and can interim controls be implemented?
  • Do we need to work with any third parties, other agencies, or service providers to investigate and resolve the data breach?
  • Can the personal information be recovered?
  • Can the person who has received personal information incorrectly be contacted?
  • Can the system which has been breached be shut down?

  Step 3: How do we assess data breaches?

  The RTI and Privacy Officer will assess the data breach to understand privacy risk, including an assessment to understand if the breach may be an eligible data breach, any likely consequences, and recommended next steps to be taken.

  As part of this assessment, we may consider the following questions.

  • What type of personal information is involved?
  • Who are the people potentially affected by the data breach?
  • What was the cause of the data breach?
  • Should we contact any other internal or external subject matter experts, e.g. technical investigators or auditors, ICT, QT Information Services or legal services?
  • What is the likelihood of serious harm to the affected individuals – is there an “eligible data breach”?
  • What steps should be taken by the agency to minimise or avoid any potential harm to individuals?
  • Does the agency need to notify anyone on a mandatory or voluntary basis?
  • Do any exceptions to notification under the Notification Scheme apply in the circumstances:
    • notification would prejudice an investigation or court/tribunal proceedings
    • another agency is undertaking the required notifications
    • remedial action has been taken such that there is no longer any likelihood of serious harm
    • notification would be inconsistent with a confidentiality provision in legislation
    • notification would create a serious risk of harm to a person’s health or safety
    • notification would compromise cybersecurity or lead to further data breaches.

  This assessment needs to be completed within 30 days of our agency becoming aware of the data breach. If we cannot complete our assessment within 30 days, we can extend that timeframe as we reasonably require.

  Step 4: When do we notify people about data breaches?

  If, following our assessment, we know, or reasonably believe that a data breach is an eligible data breach then we must, as soon as practicable:

  • notify the Information Commissioner
  • notify particular individuals.

  Please see the section below explaining how we handle notifications of eligible data breaches.

  Step 5: How do we prevent future data breaches?

  We endeavour to learn lessons from any data breaches so we can minimise the risk of similar incidents reoccurring. As part of future breach prevention, we may consider the following questions.

  • Can we provide training to our employees?
  • What was the root cause of the data breach?
  • Can we update our existing internal processes?
  • Does our internal register of eligible data breaches show any reoccurring issues?
  • Can we permanently implement any of the interim containment or mitigation actions taken in response to the breach?

  How do we handle notifications of eligible data breaches?

  Under the Notification Scheme, the CEO must as soon as practicable after forming the belief that there has been an eligible data breach:

  • notify the Information Commissioner about any eligible data breach unless an exception applies
  • take steps to notify individuals about any eligible data breach unless an exception applies.

  The CEO may facilitate the notifications through the most appropriate business group in the agency, which may differ on a case-by-case basis.

  The method of notification is determined on a case-by-case basis, however, in such circumstances, we will generally:

  • notify the Information Commissioner using the form available from reporting a privacy breach | OIC
  • notify people using correspondence, post or email, telephone scripts, or our websites.

  In addition, if we become aware the eligible data breach:

  • may affect another agency, we will give written notice to the other agency
  • warrants additional notifications on a voluntary or mandatory basis, we may notify other entities such as:
    • counterparties to contracts or memorandums of understanding
    • the Queensland Police Service
    • the Crime and Corruption Commission
    • the Queensland Government Insurance Fund
    • third party contracted services providers.

  What will we tell the Information Commissioner?

  If we determine a notification to the Information Commissioner is required under the Notification Scheme or is otherwise warranted, we may generally tell the Information Commissioner the following information:

  • the name of agency (or agencies) affected by the breach and how to contact the agency about the breach
  • the date the data breach occurred, how the data breach occurred, and a description of the type of eligible data breach, e.g. access, disclosure, loss
  • the period of time for which access to or disclosure of the personal information was available or made
  • a description of the kinds of personal information impacted by the breach
  • the steps we recommend individuals should take in response to the breach
  • any other agencies on behalf of whom we are reporting the breach
  • the steps the agency has taken to contain the breach and mitigate the harm cause to people by the breach
  • the number of people impacted by the breach including the number of people at likely risk of serious harm
  • the number of people who will be notified about the breach and whether those people have been advised of their rights to make a privacy complaint to the agency.

  What will we tell particular individuals?

  If we determine a notification to individuals is required under the Notification Scheme or otherwise warranted, we may generally tell people the following information:

  • the name of agency (or agencies) affected by the breach and how to contact the agency about the breach
  • the date the data breach occurred, how the data breach occurred, and a description of the type of eligible data breach, e.g. access, disclosure, loss
  • the period of time for which access to or disclosure of the personal information was available or made
  • a description of the kinds of personal information impacted by the breach
  • the steps we recommend individuals should take in response to the breach
  • any other agencies on behalf of whom we are reporting the breach
  • the steps the agency has taken to contain the breach and mitigate the harm cause to people by the breach
  • how people can make a privacy complaint to the agency.

  Depending on the circumstances, we may notify individuals directly or by publishing this information on our website.

  What will we tell other agencies?

  If we determine written notice to another agency is required under the Notification Scheme or otherwise warranted, we may generally tell the other agency the following information:

  • how to contact us about the breach
  • the date the data breach occurred, how the data breach occurred, and a description of the type of eligible data breach, e.g. access, disclosure, loss
  • a description of the kinds of personal information impacted by the breach
  • the steps we are taking in relation to the breach.

• How do we record and store documents relating to data breaches?

  In addition to this policy, we implement and adhere to the following policies and processes to support the management of data breaches:

  • privacy policy
  • strategic plan
  • annual privacy training.

  For information about how we handle personal information more broadly, please refer to our Privacy policy.