WorkCover Queensland data breach policy

Summary

This is a policy which sets out how WorkCover Queensland (WorkCover) will respond to a data breach, including a suspected Eligible Data Breach of WorkCover. Under the Information Privacy Act 2009 (Qld) (IP Act) WorkCover is to publish this policy on https://www.worksafe.qld.gov.au.

Purpose

The purpose of this Policy is to facilitate the timely and effective response to a data breach of WorkCover, with the aim of avoiding or mitigating potential harms to affected individuals and reducing risks to WorkCover.

Definitions

Some terms used in this Policy are set out in Attachment 1.

How can data breaches occur?

Data breaches are not limited to malicious actions taken by external parties, such as theft or hacking. Data breaches could also arise from internal errors or failures to follow internal processes and controls designed for managing information, which could lead to unintentional loss or disclosure. Examples where data breaches can occur include:

• malicious acts, for example:
  • a cyber-attack by a third party (for example via hacking, malware, or phishing) resulting in unauthorised access to a network and copying of files (such as for espionage, theft or ransom purposes);
  • an unauthorised third party obtaining a WorkCover employee’s network login credential and using it to access and steal records;
  • privilege abuse by a WorkCover employee or contractor, resulting in unauthorised disclosure or modification of files (for example, for financial gain or due to workplace grievances); and
  • theft of laptops, USB flash drives or hard copy files;
• accidental acts (these may be, for example, the result of human error), for example:
  • loss of laptops, portable storage devices or hard copy records;
  • emailing documents without encryption;
  • emailing or mailing documents to the wrong person;
  • misconfiguration of website settings, resulting in accidental, unrestricted online publications; and
  • accidental inclusion of personal information in correspondence to a third party;
• a failure in information management systems – for example:
  • data security software failures;
  • failure to develop and apply sufficient protection measures; and
  • secure document destruction service providers failing to destroy data securely.

WorkCover’s preparations for responding to a data breach

WorkCover's policy is to establish controls, systems and processes for expeditiously identifying suspected or actual data breaches, with the aim of ensuring that data breaches are effectively managed and that harms to individuals are avoided or mitigated. These controls, systems and processes are to include the following.

Staff training

WorkCover’s Privacy Committee members are to undergo induction training, and all WorkCover staff are to undergo yearly compliance training. All such training is to include training on privacy matters, including WorkCover’s responses to data breaches.

Reporting a data breach

Anyone may report an actual or suspected data breach of WorkCover. This includes WorkCover's staff and contractors, members of the public or any other government agency. For WorkCover’s staff and contractors, there are to be internal data breach reporting procedures. For all others, a report of an actual or suspected data breach of WorkCover can be directed to the contacts set out under “WorkCover’s data breach contacts” below.

Incident reporting systems

Appropriate measures are in place pursuant to WorkCover’s policies concerning information security with the aim of detecting, managing and responding to activities that may lead to a potential data breach. These are to be monitored on a 24/7 basis and compliance must be audited annually (or earlier if the circumstances so warrant).

Detailed plan for data breach responses.

WorkCover is to maintain procedures (including decision-making criteria) for managing data breach incidents in a standardised manner within the framework established by this Policy. Such procedures to be designed with the aim of ensuring the response processes result in compliance with legal obligations (including mandatory data breach notification requirements) and good privacy practices.

Communications

WorkCover’s Privacy Committee Chair is to have responsibility for coordinating communications regarding data breaches. This may involve consulting with external stakeholders, contractors or other third parties who may be impacted by any data breaches Communications may include preparing notification letters, communications with other potentially affected agencies, and liaising with the Information Commissioner.

Testing and review schedule

WorkCover is to have regular testing and review of how it responds to data breaches and this Policy with the aim of ensuring that this Policy remains operationally effective, up-to-date and aligned with WorkCover's structure and function, and the changeability of relevant external threat environments.

Alignment with other policies

WorkCover has other published policies and procedures for compliance with laws which relate to privacy. In addition to this Policy, refer to:

• WorkCover Queensland Privacy Framework
• WorkCover Queensland Privacy Policy

WorkCover’s strategy for containing, assessing, and managing data breaches

The steps WorkCover is to take to respond to a suspected or actual data breach involve the actions set out in this section.

Initial identification and evaluation

As soon as anyone becomes aware of something they think may be a data breach of WorkCover, they should make contact with WorkCover. Contact details are set out below and additional contact information is provided to WorkCover staff in procedures documents.

The training referred to above is to enable all WorkCover staff to identify what an actual or suspected data breach is, how one may occur, and the distinction between a data breach and an Eligible Data Breach and a Suspected Eligible Data Breach. When a data breach is reported (either from someone outside WorkCover of internally), the assessment and evaluation procedures referred to below are to occur.

The person reporting the incident is be asked to give as much information as they can about the incident and their best contact details for any follow-up questions.

Containment and mitigation

WorkCover's first priorities are to protect personal information and prevent harms.

Those responsible at WorkCover for managing the suspected breach are to take immediate action to close it and immediate and continuing steps to mitigate its effects. What these are will depend on the nature of incident. Data breach containment measures are not to include those which may inhibit later investigations by WorkCover or which may destroy evidence.

WorkCover's data breach containment and mitigation measures are to be ongoing while the data breach incident is being managed. Containment and mitigation measures include WorkCover’s Privacy Committee members investigation of privacy complaints and making recommendations about, or undertaking remedial work.

Assessing and evaluating

Immediate escalation

On becoming aware of any suspected data breach incident, all WorkCover employees and contractors are to immediately report the matter to their immediate manager who will report it to WorkCover's Privacy Committee.

Incident logging

The Privacy Committee, in consultation with the person making the report, is to enter details about the incident in relevant record-keeping, including WorkCover’s Register of Eligible Data Breaches required under the IP Act.

Escalation

WorkCover is to have processes in place for appropriate escalation of data breach management, depending on the nature of the suspected data breach. For example, for suspected Eligible Data Breaches and data breaches involving TFN information, that escalation must always occur. Escalation processes involve initial reporting to managers, further reporting to WorkCover’s Privacy Committee member and/or WorkCover’s Privacy Committee Chair. Data Breach Response Teams, involving senior representatives from various business and operations teams within WorkCover, may be convened for particular data breaches if the Privacy Committee Chair considers it appropriate to do so.

Serious harm assessment

Serious Harm assessment is to include considering the following:

• the kind of personal information accessed, disclosed or lost;
• the sensitivity of the personal information;
• whether the personal information is protected by one or more security measures;
• if the information is protected by one or more security measures, the likelihood that any of those security measures could be overcome;
• the persons or kind of persons who have obtained, who could obtain, the personal information;
• the nature of the harm likely to result from the data breach. Examples are:
  • identity theft;
  • financial loss;
  • threat to physical safety;
  • threat to emotional wellbeing;
  • loss of business or employment opportunities;
  • humiliation, damage to reputation or relationships;
  • workplace or social bullying or marginalisation; and
  • any other relevant matter.
• the risk of other harms such as:
  • loss of public trust;
  • reputational damage;
  • loss of assets;
  • financial exposure;
  • regulatory penalties;
  • extortion;
  • legal liability;
  • breach of confidentiality or secrecy provisions in any applicable law or contracts; and
  • any other relevant matter.

Other affected agencies

If a data breach incident might affect another agency as well as WorkCover, WorkCover will make contact with that other agency’s data breach response team and, in consultation, determine whether the data breach of WorkCover is also the subject of the data breach of the other agency and resolve whether ongoing assessments are to be by WorkCover or the other agency.

Timing to complete assessment

WorkCover is to comply with 30 day timeframe for assessment of a suspected Eligible Data Breach as required by the IP Act, subject to extensions which may be requested as recognised by that Act, or adjusted as appropriate under relevant Commonwealth laws if the incident may involve TFN information.

Notification actions

Exemptions

If WorkCover decides that it has reasonable cause to believe that there has been an Eligible Data Breach, it will also initially consider the extent to which any exemptions from WorkCover's mandatory notification obligations apply. The exemptions are set out in the IP Act.

Notification of individuals

If no relevant exemptions apply, then as soon as practicable after WorkCover has reasonable cause to believe that there has been an Eligible Data Breach, WorkCover is to take reasonable steps to notify affected individuals in the ways and with the details required by the IP Act and with the information. WorkCover’s processes include template notification text. If it is not reasonably practicable for WorkCover to notify affected individuals directly, then WorkCover's notification is to be done via WorkCover's website, and remain posted on the website for at least 12 months.

Information for individuals

The information which individuals are to be given about an Eligible Data Breach of WorkCover which may affect them is the following:

• WorkCover’s name and, if more than one agency was affected by the data breach, the name of each other agency.
• WorkCover’s contact details, or those of a person nominated by WorkCover for individuals to make contact with in relation to the data breach.
• The date the data breach occurred.
• A description of the data breach, including the type of Eligible Data Breach (namely (a) one involving unauthorised access to, or unauthorised disclosure of, personal information or (b) personal information being lost in circumstances where unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur).
• Information about how the data breach occurred.
• For notification directly to individuals, a description of the personal information the subject of the data breach and WorkCover’s recommendations about the steps the individual should take in response to the data breach. For notifications via WorkCover’s website, a description of the kind of personal information the subject of the data breach, without including any personal information in the description and WorkCover’s recommendations about the steps individuals should take in response to the data breach.
• If the data breach involved unauthorised access to or disclosure of personal information, the period during which the access or disclosure was available or made.
• The steps WorkCover has taken or will take to contain the data breach and mitigate harm caused to individuals by the data breach.
• Whether the individuals notified have been advised about how to make a privacy complaint to WorkCover. Under the IP Act, a privacy complaint to WorkCover requires that it be in writing; state an address to which WorkCover might respond to the complaint; give particulars of the act or practice the subject of the complaint; and be made within 12 months after the complainant became aware of the act or practice the subject of the complaint, or a longer period agreed by WorkCover. WorkCover is to give reasonable help to the individual to put their complaint in writing.

Where notification is given via WorkCover's website, such information need not be given to the extent it would prejudice WorkCover's functions.

Roles and responsibilities of WorkCover’s data breach response personnel

Refer to section “Escalation” above. The main responsibilities for WorkCover’s data breach management are those of WorkCover’s Privacy Committee led by WorkCover’s Privacy Committee Chair.

Record keeping

WorkCover is to keep a record of the data breaches and its responses to them as referred to at “Assessing and evaluating” above.

Post-breach review and evaluation procedures

WorkCover’s Privacy Committee is to discuss, at least on a quarterly basis, any recurring data breaches and discuss ways to mitigate them. Internal reporting to WorkCover senior management is to include reporting on privacy compliance, including on data breach management.

WorkCover’s data breach contacts

For all communications with WorkCover privacy matters, the following contact details may be used:

Address: WorkCover Queensland, GPO Box 2459, Brisbane QLD 4001
Attention: Corporate Relations Manager
Email: corporate.affairs@workcoverqld.com.au
Telephone: 1300 362 128

Modifications and updates

WorkCover may change this policy from time to time. If WorkCover does this, it is to give at least 14 days’ prior notice of the change via a posting on WorkCover’s website.

Attachment 1 Definitions