Notifiable Data Breaches Procedure

Standards and Legislation > Notifiable Data Breaches Procedure

Authorised by Chief Executive Officer

Revised Date 20 September 2024

 

This procedure references the Information Privacy Act and the Privacy Amendment (Notifiable Data BreachesAct 2017

 

In the event of a breach in Confidentiality and/or Privacy the following procedure will take place:

1.  Manager of relevant area to be advised and to investigate breach.

2.  Complete in-house Incident Report

3.  Once facts have been established CEO to be advised by Manager.

4.  If information has been disclosed which could cause serious harm (including physical, psychological, emotional, financial or reputational harm), immediate steps must be taken to minimise the risk of harm.

 

5. If serious harm remains likely after all available steps have been taken, a notification must be submitted to the Office of the Australian Information Commissioner under the Notifiable Data Breaches (NDB) Scheme. An eligible data breach happens if:

a)  there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and

b)  the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

 

An entity must give a notification if:

a)  it has reasonable grounds to believe that an eligible data breach has happened;

        or

b)  it is directed to do so by the Commissioner.

 

A notification can be submitted at:

https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB

 

6.  Depending on nature of the breach one or more of the following actions will commence.

a)  Person or persons involved to be counselled and trained by a manager and /or CEO.

b)  Person or persons involved may need to be performance managed for a duration determined by the CEO and/or manager.

c)  In the event of a deliberate or serious breach in confidentiality or privacy by a person or persons may result in termination of employment at the discretion of the CEO.

7.  If the breach of confidentiality is caused by the CEO a senior manager may report this to the Chairperson of the Board and a performance management process may ensue.

8.  In the event the breach of confidentiality is caused by a Board Director, counselling/ training may take place or the disciplinary procedure in the Kyeema Rules will be undertaken by the Board.

 

Any affected participant or carer will be informed that an appropriate process is being undertaken by management and that the breach is taken seriously.

 

Related Policies, Procedures and Documents:

Incident Reporting Policy & Procedure