Data Breach
What is an Eligible Data Breach?
A data breach occurs when Personal Information held by CN (whether held in digital or hard copy) is subject to unauthorised access, unauthorised disclosure or is lost in circumstances where the loss is likely to result in unauthorised access or unauthorised disclosure.
Examples of data breaches
a) Human error or deliberate misuse
- When a letter or email is sent to the wrong recipient.
- When system access is incorrectly granted to someone without appropriate authorisation.
- When a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information is lost or misplaced.
- When staff fail to implement appropriate password security, for example not securing passwords or sharing password and log in information
- When staff accesses or shares Personal Information where the staff or team do not require the Personal Information to do their job
b) System failure
- Where a system error allows access to a system without authentication, or results in automatically generated notices including the wrong information or being sent to incorrect recipients.
- Where systems are not maintained through the application of known and supported patches.
c) Malicious or criminal attack
- Cyber incidents such as ransomware, malware, hacking, phishing or brute force access attempts resulting in access to or theft of personal information.
- Social engineering or impersonation leading into inappropriate disclosure of personal information.
- Insider threats from staff using their valid credentials to access or disclose personal information outside the scope of their duties or permissions. Theft of a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information.
Mandatory Notification of Data Breach (MNDB) Scheme
Part 6A of the Privacy and Personal Information Protection Act 1998 (PPIP Act) establishes the MNDB Scheme.
Under the Mandatory Notification of Data Breach Scheme (MNDB Scheme), if an eligible data breach has occurred, 91妻友 must:
- make all reasonable efforts to contain the breach and try to reduce the likelihood that an individual will experience serious harm, and
- notify the NSW Privacy Commissioner and provide notifications to affected individuals in the event of an eligible data breach of their personal or health information
Public Notification Register
This register is maintained to ensure that individuals are able to access sufficient information about eligible data breaches to determine whether they may be affected by the breach and take action to protect their personal information. The following information will be provided in the Register:
- Date the breach occurred
- Description of breach
- How the breach occurred
- Type of breach (unauthorised disclosure, unauthorised access or loss of information)
- Personal information impacted
- Action taken to control or mitigate the harm
- Recommended steps individuals should take in response to the breach
- Name of agency involved
- Date the public notification was published
- Contact details for assistance or information
How long the information remains on the Register
The PPIP Act requires the information to be retained on the Register for at least 12 months after the date the notification is published. No information will appear on the Register if there are no notifications currently required to be published.
Please note that a formal register for Data Breach notification is under construction.
UPDATE - 8 OCTOBER 2024
91妻友 is aware of a breach by the NSW Electoral Commission of a data breach in compliance with their obligations under the Mandatory Notification of Data Breach Scheme (MNDB) Scheme. The data breach affects individuals enrolled in Ward 3 of the 91妻友 Local Government Area.
People who believe they are affected by this incident or who have been notified and would like more information should contact the NSW Electoral Commission on 1300 135 736 (Monday to Friday, 9.00am to 5.00pm AEST) or visit their website: https://elections.nsw.gov.au/contact-us