Data Breach Response Plan
1. Background to this Plan
The Melbourne Racing Club and its subsidiaries and related entities (MRC) have obligations under the Privacy Act 1988 (Cth) (Act) to take reasonable steps to protect the personal information that we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. One of those reasonable steps includes the preparation and implementation of a data breach response plan.
MRC’s liability for not taking reasonable steps to prevent and/or respond to data breaches (including if this policy is not complied with) can be up to $1.8 million in civil penalties, as well as the significant reputational damage that can occur in the event of a data breach.
MRC’s actions in the first 24 hours after discovering a data breach are often crucial to the success of the response. A quick response can substantially decrease MRC’s liability and the impact on the affected individuals.
This purpose of this data breach response plan (Plan) is to set out procedures and clear lines of authority for MRC staff in the event that the MRC experiences a data breach (or suspects that a data breach has occurred).
2. Scope of the Plan
This is a mandatory policy that applies to all employees of MRC, whether permanent, temporary, casual, part-time or on fixed-term contracts employees. This policy also applies to all partners and third parties who have access to MRC information or information systems.
3. What is a data breach?
A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse.
Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations.
A data breach can occur when:
- an employee accidentally downloads a virus (eg. by clicking on an email link);
- a device containing customers’ personal information is lost or stolen;
- a mobile device or laptop is misplaced in public (even temporarily)
- hard copy data is stolen or copied (for example, information written on a note or information disposed of bins);
- an employee’s login details are shared, guessed or stolen;
- any third party or contractor is given access to our buildings, IT systems or Confidential Information;
- an MRC website is hacked or develops a vulnerability;
- a database containing personal information is hacked; and
- personal information (or a database containing personal information) is mistakenly distributed or provided to the wrong person.
4. What is ‘personal information’?
‘Personal information’ is defined in the Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable, regardless of whether the information or opinion is true or not or recorded in a material form or not.
A number of different types of information are explicitly recognised as constituting personal information under the Act. For example, the following types of information can be types of personal information:
- racial or ethnic origin
- political opinion
- religious beliefs
- sexual orientation
- criminal record
- health information
- credit information
- employee record information
- tax file number information
5. What happens when a data breach occurs?
The diagram below sets out the mandatory process to be undertaken in the event any MRC employee, or a third party in possession of MRC’s personal information, becomes aware of any potential data breach.
Below sets out more detail for each of these steps 6.1-6.9.
5.1. Data breach experienced or suspected
Discovered by employee or third party or employee or third party otherwise alerted.
5.2. Alert manager to breach
Employee or third party must immediately notify their relevant MRC manager (or in their absence, any other manager) of the suspected data breach.
5.3. Confirm and consider breach
As soon as possible, managers (with the assistance of the employee or third party) must record in writing:
- the time and date the suspected breach was discovered
- the type of personal information involved
Managers must use their discretion to determine, based on the below principles, whether the breach requires escalation to data breach response team (Response Team).
Some data breaches may be comparatively minor, and able to be
dealt with easily without escalation to the Response Team. For example, an MRC employee may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be recalled, or if the employee can contact the recipient and the recipient agrees to delete the email, there may be no need to escalate the issue to the Response Team.
Managers should consider the following questions:
- Are multiple individuals affected by the breach or suspected breach?
- Is there (or may there be) a real risk of serious harm to the affected individual(s)?
- Does the breach or suspected breach indicate a systemic problem in MRC’s processes or procedures?
- Could there be media or stakeholder attention as a result of the breach or suspected breach?
- Are there any other issues relevant to the circumstances, such as the value of the data to you or issues of reputational risk?
If the answer to any of the above questions is 'yes', then it is most likely appropriate for the manager to notify the response team. A manager should immediately escalate a breach to the Response Team where they are unsure of the answers to any of the above questions or unsure about the full nature or extent of the breach.
If a manager decides not to escalate a minor data breach or suspected minor data breach to the response team for further action, the manager should, as soon as possible:
- send a brief email to Legal Counsel that contains the following information:
- description of the breach or suspected breach;
- action taken by the manager or any employee to address the breach or suspected breach;
- the outcome of that action; and
- the manager’s view that no further action is required; an
- assist Legal Counsel in recording the breach on the Data Breach Register (see Item 8G below).
5.4. Notify data breach response team
If:
- the manager has decided in Step 6.3 above that the breach must be escalated; or
- after receiving notification from a manager, Legal Counsel determines that a breach requires escalation,
that person must immediately send an email addressed to every member in the Response Team setting out the details of the breach and requesting that the matter be escalated to the responsibility of the Response Team.
The Response Team must act as expeditiously as possible and in any event have finalised their investigation (ie conduct Steps 6.5-6.7) within 30 days from the identification of the data breach.
5.5. Contain and remediate the breach
Upon receipt of an email set out in Step 6.4 above, the Response Team must convene a meeting to be held as soon as practicable to discuss containment of the breach and further steps. To the extent a member from the Response Team is unavailable, it is recommended that the Response Team invites another staff
member from the relevant department to the meeting.
Every data breach will be different and each must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
Steps 6.5, 6.6 and 6.7 should ideally be undertaken simultaneously or in quick succession.
The Response Team must immediately take any appropriate action to contain the breach, which could include:
- working with information technology/CET departments to address the issue (including adopting procedures recommended in any internal IT policies in place from time to time); and
- alerting building security and/or appropriate MRC staff.
If the Response Team is able to promptly and effectively respond to a data breach through remedial action, such that the breach is not likely to, or does not, result in serious harm, the MRC will not be required to comply with the notification requirements in Step 6.7 below.
5.6. Undertake a preliminary assessment
The Response Team must work together to promptly conduct an initial investigation (including the collection of evidence where necessary), and should consider the following:
- the date, time, duration, and location of the breach
- the type of personal information involved in the breach
- how the breach was discovered and by whom
- the extent of the breach (eg. the number of individuals affected)
- a list of the affected individuals, or possible affected individuals
- the risk of serious harm to the affected individuals
The Response Team should then assess priorities, including notification procedures (see Step 6.7 below), further remedial action and/or the development of a media/communications strategy if deemed necessary.
The Response Team must keep appropriate records of the investigation and the decision making process.
5.7. Undertake notification procedures
5.7.1. OAIC notification test
The obligation to immediately notify the Office of the Australian Information Commissioner (OAIC) and affected individuals is only triggered in circumstances where a data breach constitutes an ‘eligible data breach’ and where MRC has not received an exemption from the Privacy Commissioner (see heading below).
An ‘eligible data breach’ is a data breach which is likely[1] to result in serious harm to the affected individuals.
An assessment as to whether an individual is likely to suffer ‘serious harm’ as a result of an eligible data breach depends on, among any other relevant matters:
- the kind and sensitivity of the information subject of the breach;
- whether the information is protected and the likelihood of overcoming that protection;
- if a security technology or methodology is used in relation to the information to make it unintelligible or meaningless to persons not authorised to obtain it - the information or knowledge required to circumvent the security technology or methodology;
- the persons, or the kinds of persons, who have obtained, or could obtain, the information; and
- the nature of the harm that may result from the data breach.
Potential forms of serious harm could include physical, psychological, emotional, economic and financial harm as well as harm to reputation.
The Response Team should also determine whether other external stakeholders should be notified, including broader staff, MRC members, police/law enforcement, other agencies or organisations affected by the breach, the media or where MRC is contractually required to notify specific parties.
The Response Team will do so in consultation with the Communications Manager. In the event of an eligible data breach, or should media become involved, MRC’s Crisis Communications procedure will be enacted.
5.7.2. Notification exemption from Privacy Commissioner
It is also open for an affected entity to apply to the Commissioner for an exemption to the notification obligation. Such exemptions are likely to apply in circumstances where an organisation may be assisting a law enforcement body or regulatory body in relation to enforcement/investigation activities relating to a breach event, or where an organisation is itself working through a complex breach event and where notification may be more prejudicial to affected persons in the circumstances.
Entities may also apply to the Commissioner for an exemption from, or an extension of time to comply with, the notification requirements, and would not be required to comply until the Commissioner has decided the application.
5.7.3. Form of notification
If the Response Team has determined that an OAIC notification is required and an exemption has not been received from the Privacy Commissioner, it must provide a statement to the OAIC[2] containing the following information (and any other information deemed relevant) as soon as practicable:
- The identity and contact details of any entity that jointly or simultaneously holds the same information in respect of which the eligible data breach has occurred, for example, due to outsourcing, joint venture or shared services arrangements
- a description of the data breach
- the kinds of information concerned
- the steps it recommends individuals take to mitigate the harm that may arise from the breach (eg. cancelling credit cards, changing online passwords)
The Response Team must also arrange for MRC to take such steps as are reasonable in the circumstances to notify affected or at risk individuals of the contents of the statement. Individuals may be notified by their normal mode of communication to/from MRC, or if there is none, by email, telephone or post. If direct notification is not practicable, MRC must publish the statement on its website and take reasonable steps to publicise its contents (for example via social media channels).
5.8. Record breach
As soon as practicable following Steps 6.1-6.7 (regardless of whether any notifications were deemed to be required), Legal Counsel must record details of the data breach in Data Breach Register (see section 9).
5.9. Review of breach to prevent future breaches
Within one month following a data breach being escalated to the Response Team, the Response Team may choose to report the data breach to the Executive team (and, if deemed significant enough, to the MRC committee) outlining a summary of the data breach, the response, the outcomes and any recommendations, including any need to:
- update security and response plan if necessary.
- make appropriate changes to other policies and procedures if necessary (such as privacy policy, acceptable use policy).
- revise staff training practices and/or data access if necessary.
- conduct an audit to ensure necessary outcomes are effected.
6. Response Team
The Response Team will comprise of the following staff members:
- Executive Director, Legal, Risk & Compliance
- General Manager - Technology
- General Manager – Risk & Compliance
- Anyone else the Response Team deems necessary in the context of each data breach, including external advisers and the CEO.
The Executive Director, Legal Risk & Compliance has ultimate responsibility for the MRC’s handling of a data breach once he/she has been made aware of any potential breach.
7. Third parties
On occasion we share personal information with third parties in accordance with our Acceptable Data Use Policy.
Pursuant to the Acceptable Data Use Policy, in most cases MRC must enter into a contract with the third party which includes provisions regarding the Confidential Information, including clauses requiring the counterparty to:
- keep secure the Confidential Information and to only use it in accordance with prescribed purposes; and
- immediately notify and cooperate MRC in the event of a suspected data breach.
8. Data Breach Register
All data breaches, including those not escalated to the Response Team, must be recorded by Legal Counsel in the MRC’s Data Breach Register, the form of which is set out in the Schedule.
9. Review
The Data Breach Register must be reviewed by the Executive team every 12 months if there has been new entries.
This Plan is recommended to be reviewed by the Response Team by January 2024.[3]
Upon the introduction of new products, software, services, system enhancements or such other events which involving the handling of personal information, the General Manager - Technology shall confer with members of the Response Team to determine whether a hypothetical data breach is required to conduct a test of this Plan.
Schedule – Form of Data Breach Register
Date
Reported by
Reporting
Manager
Escalated to
Response
Team Y/N
Cause of breach
Information affected
Number of individuals affected
Notifications provided
Remedial action taken
[1] ‘Likely’ is to be interpreted to mean more probable than not and ‘reasonable person’ is to be taken to mean a person in the entity’s position who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. The OAIC’s guidance states that the reasonable person is not to be taken from the perspective of an individual whose personal information was part of the data breach or any other person, and, generally, entities are not expected to make external enquiries about the circumstances of each individual whose information is involved in the breach.
[2] The OAIC has created an online form with similar content which could be used, however we recommend instead filling out a word version of this for to enable easier circulation within the Response Team to review and finalise the statement. The final statement can be provided by uploading into the online form, or sent to OAIC by email to enquiries@oaic.gov.au, by fax to 02 9284 9666 or post to GPO Box 5218, Sydney NSW 2001.
[3] Review date is recommended only. Should this Plan have not been reviewed or updated by its review date, this Plan shall still remain in force and does not expire.