A NSW Government website

NSW Independent Liquor & Gaming Authority
NSW Independent
Liquor & Gaming Authority

Data Breach Policy

Policy statement and key principles

This policy outlines ILGA’s procedures in the event of data breaches involving personal information.

1. Introduction

This Data Breach Policy (Policy) sets out an overview of ILGA’s procedures in relation to detecting, responding to, managing, notifying and reporting eligible data breaches in accordance with the Mandatory Notification of Data Breach Schedule (the MNDB Scheme) under Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act). 

This policy complies with section 59ZD of the PPIP Act and provides a framework for ILGA’s compliance with the MNDB Scheme.

ILGA personnel should consult the Data Breach Response Plan for detailed guidance on how to respond to a data breach in accordance with this Policy. 

The purpose of this Policy is to set out how ILGA will respond to data breaches involving personal information. While not all data breaches will be eligible data breaches, ILGA takes all data breaches seriously and will assess each data breach in accordance with this Policy.

1.1 Definitions

Term

Definition
Data Breach Response Team A team consisting of ILGA personnel responsible for coordinating and managing ILGA’s response to a data breach.
Data breach When information held by ILGA is subject to unauthorised access, unauthorised disclosure or is lost in circumstances where the loss is likely to result in unauthorised access or unauthorised disclosure, or any accidental or unlawful destruction or alteration of personal information held by (or on behalf of) ILGA.
Data Breach Response Plan A detailed internal plan outlining the steps required for ILGA personnel to contain, assess, investigate and respond to a data breach.
DCITHS Principal Department, Department of Creative Industries, Tourism, Hospitality and Sport
Eligible data breach

A data breach which has satisfied the following two tests under the MNDB Scheme:

  1. Unauthorised access to, or unauthorised disclosure of, personal information held by ILGA or there is a loss of personal information held by ILGA in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information; and
  2. A reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates.
GRC Committee ILGA Governance, Risk and Compliance Committee
Health information Any personal information that is information or an opinion about a person’s physical or mental health or disability or the provision of health services to them, including an individual’s express wishes about the future provision of health services to them (section 6 of the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act)).
Likely to result in serious harm ‘Likely’ means the risk of serious harm to an individual is more probable than not.
Personal information Information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion (see section 4 of the PPIP Act). In this policy, unless otherwise noted, personal information also encompasses ‘health information’ as defined in section 6 of the HRIP Act. This means for the purposes of the MNDB Scheme (Part 6 of the PPIP Act only), ‘personal information’ includes information about an individual’s physical or mental health, disability, and information connected to the provision of a health service.
Serious harm Occurs where the harm arising from the eligible data breach has, or may, result in a real and substantial detrimental effect to the individual. The effect on the individual must be more than mere irritation, annoyance or inconvenience. Harm to individual includes serious physical, psychological, emotional, financial or reputational harm.
Personnel All ILGA permanent full time, part time, volunteer, trainee and temporary employees, board members and staff authorised to access ILGA information systems and assets. Any consultants and persons or organisations authorised to administer, develop, manage and support ILGA information systems and assets. Any third party supplier, vendors, contractors and hosted managed service providers.

1.2 Scope

This Policy applies to and must be adhered to and implemented by all personnel.

All personnel have a responsibility to notify the Director, OILGA of any data breach immediately on becoming aware that a data breach has occurred and provide information about the data breach in accordance with procedures in ILGA’s Data Breach Response Plan.

Roles and responsibilities are detailed in the Data Breach Response Plan. 

2. What is an eligible data breach?

A data breach occurs when there has been unauthorised access to, unauthorised disclosure of or loss of personal information (including health information) held by (or on behalf of) ILGA or any accidental or unlawful destruction or alteration of personal information held by (or on behalf of) ILGA.

A data breach may occur as the result of a malicious action, systems failure or human error. A data breach may occur also because of misconception as to whether a particular act or practice is permitted under PPIP Act.

Examples of data breaches include:

Malicious or criminal attack

  • Cyber incidents such as ransomware, malware, hacking, phishing or brute force access attempts resulting in access to or theft of personal information.
  • Social engineering or impersonation leading into inappropriate disclosure of personal information.
  • Theft of a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information.

System fault

  • Where a coding error allows access to a system without authentication, or results in automatically generated notices including the wrong information or being sent to incorrect recipients.
  • Where systems are not maintained through the application of known and supported patches.

Human error

  • When a letter or email is sent to the wrong recipient.
  • When system access or release of confidential information is incorrectly granted.
  • When a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information is lost or misplaced.
  • When staff fail to implement appropriate password security, for example not securing passwords or sharing password and log in information.

If there are reasonable grounds to believe that the data breach has resulted in, or is likely to result in, serious harm to one or more of the individuals to whom the information relates, the data breach is an ‘eligible data breach’. 

Serious harm occurs where harm arising from the eligible data breach has or could result in a real and substantial detrimental effect on an individual and includes serious physical, psychological, emotional, financial, or reputational harm. Examples of harms include identity theft, financial loss or blackmail, threats to personal safety, loss of business or employment opportunities, humiliation, stigma, embarrassment, damage to reputation or relationships, discrimination, bullying, marginalisation, or other forms of disadvantage or exclusion.

Assessment of the likelihood of serious harm from a data breach is an objective test. ‘Likely to result’ means the risk of serious harm to an individual is more probable than not.

3. Process for managing a data breach

ILGA takes reasonable security safeguards against the loss, unauthorised access, use, modification and disclosure of personal information. The ILGA Data Breach Response Plan provides detailed guidance on how to respond to a data breach in accordance with this Policy.

ILGA’s security measures further include the use of restricted drives and authorised access. 

4. Data breach response and reporting

ILGA will consider a number of factors in assessing a data breach including the NSW Privacy Commissioner’s statutory guidelines and will engage the following steps in response to all data breaches:

Step 1: Contain the data breach and conduct a preliminary assessment 

Containment steps will depend on the nature of the breach but may include shutting down the system affected by the breach and such other steps necessary to mitigate the impact of the breach and the risk of harm to individuals and ILGA. These steps will be guided by the DCITHS Cyber Security Team.

  • The DCITHS Cyber Security Team will be informed and a Breach Response Team assembled
  • Preliminary fact-finding about the breach will be conducted along with a preliminary assessment of the risk posed by the data breach
  • An incident is formally declared, and the scope, severity, and potentially affected stakeholders are defined
  • All reasonable steps will be taken to contain the breach and limit any further access or distribution of the affected personal information.
     

The Data Breach Response Team will consist of:

  • The ILGA Chairperson with responsibility for final approval on decisions and proposals by the Data Breach Response Team (or the Deputy Chairperson or another board member, if unavailable)
  • Director OILGA who will lead the assessment, mitigation and notification of the data breach
  • ILGA legal team who will identify and advise on any legal obligations and support the drafting of notifications and communications issued under this Policy
  • Manager OILGA who will liaise with the DCITHS Cyber Security Team and any related ICT partners as required to obtain and provide information into the cause and impacts of the data breach
  • DCITHS Cyber Security Team to lead with all ICT related components
  • Any internal or external expertise and incident response advisors the Data Breach Response Team determines are required to complete the assessment and mitigation of the data breach.
     

Step 2: Evaluate and mitigate the risks associated with the data breach

  • Complete an assessment of the harm and its impact that has eventuated from the breach. The assessment includes considering the following matters:
    • The type of information involved
    • Cause and extent of the breach
    • Whether there is risk of ongoing breaches or further exposure
    • Is this an isolated incident or a systematic problem
    • Who is affected by the breach.
  • As soon as practicable, take remedial action to prevent or mitigate the likelihood that the breach will result in harm to any individual.
  • Consider requirements under any third party agreements and third party organisations or agencies whose data may be affected.
     

Step 3: Notify and communicate

  • If the breach is assessed as an eligible data breach, on the advice of the Data Breach Response Team, the appropriate communications messaging templates and procedures in the Data Breach Response Plan will be used to notify the Privacy Commissioner and affected individuals where required.
  • Where ILGA is unable to notify, or where it’s not reasonably practicable to notify, any or all individuals whose personal information was the subject of the breach, ILGA will publish a notification on its website in a public notification register, and will take reasonable steps to publicise that notification, as required under the PPIP Act.

In accordance with section 59O of PPIP Act, the notification will include the following specific information, if reasonably practicable:

  • The date the data breach occurred
  • A description of the data breach
  • How the data breach occurred
  • The type of data breach that occurred
  • The personal information included in the data breach
  • The amount of time the personal information was disclosed for
  • Actions that have been taken or are planned to secure the information, or to control and mitigate the harm
  • Recommendations about the steps an individual should take in response to the data breach
  • Information about complaints and review of agency conduct
  • The name of the agencies that were subject to the data breach
  • Contact details for the agency subject to the data breach or the nominated contact person in relation to the data breach

Step 4: Prevent future data breaches

  • Prepare an upward sharing of lessons learned
  • A post incident review of the process used for the data breach after it has been handled will be conducted and reported to the Data Breach Response Team with details of any recommendations.
  • The Breach Response Team will review the circumstances of the breach, including:
    • What went wrong
    • How the issues are addressed; and
    • Whether changes are needed to processes and procedures to prevent a similar breach from occurring in the future
  • Cyber security controls to be improved and additional controls to be implemented
  • Data Breach Policy and Plan to be updated accordingly.

Step 5: Record keeping requirements

  • OILGA will maintain an internal register of all eligible date breaches impacting ILGA.
  • ILGA will maintain a public notification register on the ILGA website. This will be a public notification register of eligible data breaches where ILGA is unable to notify, or it is not reasonably practicable to notify affected individuals.
  • For further detailed requirements of our internal and external reporting, personnel must follow the Data Breach Response Plan.

5. ILGA personnel awareness

To ensure that ILGA personnel are and remain aware of their obligations under the MDNB Scheme, ILGA will:

  • Prepare and notify staff of the Data Breach Response Plan
  • Encourage ILGA personnel to complete the ID Support NSW data breaches eLearning module
  • Socialise this Policy and the Data Breach Response Plan when available to raise awareness and appreciation of these privacy obligations generally
  • Provide refresher and on-the-job training as required; and
  • Schedule an annual review and update of this Policy, or more frequent reviews and updates if needed.

6. Further information and contacts

For further information about this Policy, an eligible data breach on the public notification register or if you have any concerns, please contact ILGA:

Independent Liquor and Gaming Authority
McKell Building 2-24 Rawson Place
Sydney NSW 2000
Email: office@ilga.nsw.gov.au 

For more information on privacy rights and obligations in New South Wales, please contact the NSW Privacy Commissioner at:

NSW Information and Privacy Commission
Level 17, 201 Elizabeth Street
Sydney NSW 2000
Phone: 1800 472 679
Web: www.ipc.nsw.gov.au 
Email: ipcinfo@ipc.nsw.gov.au 

7. Additional Support Resources

The following resources are to be utilised either during the preparation for handling a cyber incident, or in meeting mandatory or voluntary reporting requirements following a breach. 

Australian Government 

Law Enforcement  

Incident Reporting 

8. Breach of Policy

A breach of this policy may lead to disciplinary action including termination of employment or engagement. Individuals found to have committed an offence under any relevant legislation may also be subject to penalties as prescribed by the legislation, which can include imprisonment.