Our Data Breach Policy

A data breach means either of the following occurring in relation to information we hold:

• unauthorised access to, or unauthorised disclosure of, the information
• the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur.

What is unauthorised access or disclosure?

Access or disclosure will be unauthorised if the information we hold is accessed or disclosed without proper permission, licence, or legitimate purpose (whether that happens intentionally or unintentionally). A lack of authorisation could occur within our agency, between agencies, or external to our agency. Access and disclosure are not mutually exclusive events. Unauthorised access to information, and unauthorised disclosure of information, will be a data breach.

What is loss of information?

We hold information if it is in a document that we possess or control. We have lost that information if we no longer have possession or control of the document (whether that loss happens deliberately or accidentally). Loss of information will be a data breach if the loss is likely to result in unauthorised access to, or unauthorised disclosure of, the information.

What are some examples of data breaches?

A data breach may occur:

• internal to our agency e.g. if a staff member browses agency records relating to a family member, a neighbour, or a celebrity without a legitimate purpose
• between government agencies e.g. if our agency provides lawful access to our information for a joint government project and an officer from the other agency uses the information for something other than the project
• outside our agency e.g. if our information held in a database is compromised during a cyberattack and accessed by a malicious third party / threat actor.

If we know, or if we reasonably suspect, that a data breach is an eligible data breach then we must:

• immediately (and continue to take all reasonable steps to):
  • contain the data breach
  • mitigate the harm caused by the data breach
• if we are uncertain about whether the data breach is eligible, assess (within 30 days) whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency.

If we know, or reasonably believe, that a data breach is an eligible data breach then we must, as soon as practicable:

• notify the Information Commissioner
• notify affected individuals.

If we become aware that an eligible data breach may affect another government agency, we must tell that agency.

An eligible data breach means both of the following occurring in relation to information we hold:

• there is a data breach involving personal information
• the data breach is likely to result in serious harm to an individual to whom the personal information relates.

If serious harm is more likely than not to affect a person (or a subset of people) impacted by a data breach involving their personal information, then the data breach will be an eligible data breach.

What is serious harm?

Serious harm includes:

• serious physical, psychological, emotional, or financial harm to the individual because of the access or disclosure
• serious harm to the individual’s reputation because of the access or disclosure.

Serious harm occurs where the harm caused by the data breach has resulted, or may result, in a real and substantial detrimental effect to an individual. The effect on an individual must be more than mere irritation, annoyance, or inconvenience.

Examples of harms include:

• identity theft
• financial loss
• threats to personal safety
• loss of business or employment opportunities
• humiliation and embarrassment
• damage to reputation or relationships
• discrimination, bullying, or other forms of disadvantage or exclusion.

If there are reasonable grounds to believe that the data breach has resulted in, or is likely to result in, serious harm to one or more of the individuals to whom the information relates, the data breach is considered an “eligible data breach”.

What factors do we consider when assessing serious harm?

We will consider the following matters when assessing serious harm:

• the kind of personal information accessed, disclosed or lost
• the sensitivity of the personal information
• whether the personal information is protected by security measures
• if the personal information is protected by security measures, the likelihood those measures could be overcome
• the persons, or kinds of persons, who have obtained (or who could obtain) the personal information
• the nature of the harm likely to result from the data breach
• any other relevant matter.

We may also consider the following additional relevant matters:

• the amount of time the personal information was exposed or accessible
• the circumstances of the individuals affected and their vulnerability or susceptibility to harm (that is, if any individuals are at heightened risk of harm or have decreased capacity to protect themselves from harm)
• the circumstances in which the breach occurred
• actions we may have taken to reduce the risk of harm following the data breach.

The chief executive is ultimately responsible for agency compliance with the IP Act, including the Notification Scheme. The Under Treasurer is our chief executive. The General Counsel, Chief Information Officer, Commissioner of State Revenue, and Chief Revenue Counsel support agency compliance. The Privacy Team Officers support our privacy function. Information Services manage our information and cyber security, including requirements under the Queensland Government information and cyber security policy (IS18).

All of our officers have a responsibility to ensure personal information they handle in the performance of their duties is managed in accordance with the IP Act. This includes completing data privacy training to enable them to appropriately escalate and investigate data breaches. A high-level overview of responsibilities within the agency is below. Each data breach will need to be considered on a case-by-case basis.

Persons and responsibilities

All internal agency officers:

• handle personal information consistently with the IP Act
• escalate and report data breaches to their managers, to the Privacy Team Officers (to assess suspected eligible data breaches) and to Information Services (to assess security incidents).

Business area impacted by breach:

• collaborate with the Privacy Team Officers and/or Information Services (if needed) to take containment and mitigation action (this must be undertaken immediately and on an ongoing basis as needed)
• provide information needed for assessments and internal reporting
• engage with any service providers (if needed)
• implement permanent prevention methods (if needed)
• consider any notifications required under contracts, memorandums of understanding or service level agreements, or legislation other than the IP Act or Commonwealth Privacy Act (if needed).

Privacy Team Officers:

• collaborate with business area on containment and mitigation action
• undertake or recommend additional internal escalation/reporting as needed (e.g. Legal, People & Culture, or Information Services)
• assess breach to see if it may be an eligible data breach that requires mandatory notification under the Notification Scheme in the IP Act or the Commonwealth Privacy Act, or may otherwise warrant notification.

Information Services Team:

• handle management of security incidents (including any processes or notifications required under IS18)
• support data breach assessments under the IP Act’s Notification Scheme (and Commonwealth Privacy Act) and help to implement any containment, mitigation, or prevention steps (if needed).

General Counsel, Chief Information Officer, Chief Revenue Counsel, & Commissioner of State Revenue:

• determine if notifications to the Information Commissioner, affected individuals, another agency, or any other entity or individual are warranted in the circumstances (or if any exemptions apply) and how to handle making the notifications
• determine if external advisers or investigators are warranted
• report to agency senior executives and Under Treasurer as needed.

Under Treasurer:

• oversight of any notifications determined in response to the breach on behalf of the agency
• foster a privacy-conscious culture within the agency.

Responding to a data breach will be conducted on a case-by-case basis to account for the varied types of data breaches that may occur. However, Treasury’s strategy for responding to data breaches will generally cover the following steps:

• Step 1: escalate the data breach
• Step 2: contain and mitigate the data breach
• Step 3: assess the likelihood of serious harm from the data breach
• Step 4: notify people about the data breach, where required or otherwise warranted
• Step 5: implement preventative actions to minimise the likelihood of a similar data breach reoccurring.

Every officer in our agency has a responsibility to escalate and support the management of data breaches.

Step 1: How do we escalate data breaches?

Internal staff are expected to report data breaches to their managers, to the Privacy Team Officers for assessment under the Notification Scheme, and to Information Services for assessment as a security incident.

External entities (including other agencies, 3^rd parties, or members of the public) may report a data breach by emailing:

• the Queensland Revenue Office (QRO) Privacy Contact Officer on QROprivacy@treasury.qld.gov.au if the breach relates to QRO (including the State Penalties Enforcement Registry, SPER)
• the Treasury Privacy Manager & Contact Officer at privacy@treasury.qld.gov.au if the breach relates to Queensland Treasury other than QRO.

The Privacy Team Officers will undertake or recommend any additional escalations/reports under privacy legislation, and Information Services will undertake any processes or notifications required under IS18.

Any report to the Privacy Team Officers will need to include details about the personal information involved in the breach and circumstances surrounding the breach, to inform Treasury’s containment/mitigation actions and our assessment.

Step 2: What do we do to contain and mitigate a data breach?

At this stage of a breach, we are taking steps to limit the extent and duration of the breach, and make any effects from the breach less harmful. We may take the following actions to contain and mitigate a data breach:

• making efforts to recover the personal information
• securing, restricting access to, or shutting down breached systems
• suspending the activity that led to the data breach
• revoking or changing access codes or passwords.

The business group (or statutory body administered within our agency) impacted by the data breach will collaborate as needed with the Privacy Team Officers and Information Services to take any containment and mitigation actions.

We have an immediate and ongoing obligation to contain the data breach and mitigate any harm while we manage our assessment of, and response to, the data breach.

To determine the appropriate containment or mitigation actions, we may consider the following questions.

• What happened to cause the data breach, and can interim controls be implemented?
• Do we need to work with any third parties, other agencies, or service providers to investigate and resolve the data breach?
• Can the personal information be recovered?
• Can the person who has received personal information incorrectly be contacted?
• Can the system which has been breached be shut down?

Step 3: How do we assess data breaches?

The Privacy Team Officers will assess the data breach to understand privacy risk (including an assessment to understand if the breach may be an eligible data breach), any likely consequences, and recommended next steps to be taken.

As part of this assessment, we may consider the following questions.

• Is personal information impacted by the data breach?
• What type of personal information is involved?
• Who are the people potentially affected by the data breach?
• What was the cause of the data breach?
• Should we contact any other internal or external subject matter experts (e.g. technical investigators or auditors, People & Culture, Information Services or Legal Services)?
• What is the likelihood of serious harm to the affected individuals – is there an “eligible data breach”?
• What steps should be taken by the agency to minimise or avoid any potential harm to individuals?
• Does the agency need to notify anyone (on a mandatory or voluntary basis)?
• Do any exemptions to notification under the Notification Scheme apply in the circumstances?

This assessment needs to be completed within 30 days of our agency becoming aware of the data breach. If we cannot complete our assessment within 30 days, we can extend that timeframe as we reasonably require.

Step 4: When do we notify people about data breaches?

If our assessment means that we know, or reasonably believe, that a data breach is an eligible data breach then we must, as soon as practicable:

• notify the Information Commissioner
• notify affected individuals.

Please see the section below explaining how we handle notifications of eligible data breaches.

Step 5: How do we prevent future data breaches?

We endeavour to learn lessons from any data breaches so we can minimise the risk of similar incidents reoccurring. As part of future breach prevention, we may consider the following questions.

• Can we provide training to our officers?
• What was the root cause of the data breach?
• Can we update our existing internal processes?
• Does our internal register of eligible data breaches show any reoccurring issues?
• Can we permanently implement any of the interim containment or mitigation actions taken in response to the breach?

Under the Notification Scheme, we must as soon as practicable after forming the belief that there has been an eligible data breach:

• notify the Information Commissioner about any eligible data breach (unless an exemption applies)
• take steps to notify affected individuals about any eligible data breach (unless an exemption applies).

Notifications may be facilitated through the most appropriate business group in the agency, which may differ on a case-by-case basis.

The method of notification is determined on a case-by-case basis, however, in such circumstances, we will generally:

• notify the Information Commissioner using the form available from Reporting a privacy breach | OIC
• notify people using correspondence (post or email), telephone scripts, or our websites.

In addition, if we become aware the eligible data breach:

• may affect another agency, we will give written notice to the other agency
• involves TFNs, we will notify the Commonwealth Information Commissioner
• warrants additional notifications (on a voluntary or mandatory basis), we may notify other entities such as:
  • counterparties to contracts or memorandums of understanding
  • the Queensland Police Service
  • the Crime and Corruption Commission
  • the Queensland Government Insurance Fund.

What will we tell the Information Commissioner?

If we determine a notification to the Information Commissioner is required under the Notification Scheme or is otherwise warranted, we will generally tell the Information Commissioner the following information:

• the name of agency (or agencies) affected by the breach and how to contact the agency about the breach
• the date the data breach occurred, how the data breach occurred, and a description of the type of eligible data breach (e.g. access, disclosure, loss)
• the period of time for which access to or disclosure of the personal information was available or made
• a description of the kinds of personal information impacted by the breach
• the steps we recommend individuals should take in response to the breach
• any other agencies on behalf of whom we are reporting the breach
• the steps the agency has taken to contain the breach and mitigate the harm cause to people by the breach
• the number of people impacted by the breach (including the number of people at likely risk of serious harm)
• the number of people who will be notified about the breach and whether those people have been advised of their rights to make a privacy complaint to the agency.

What will we tell affected individuals?

If we determine a notification to individuals is required under the Notification Scheme or otherwise warranted, we will generally tell people the following information:

• the name of agency (or agencies) affected by the breach and how to contact the agency about the breach
• the date the data breach occurred, how the data breach occurred, and a description of the type of eligible data breach (e.g. access, disclosure, loss)
• the period of time for which access to or disclosure of the personal information was available or made
• a description of the kinds of personal information impacted by the breach
• the steps we recommend individuals should take in response to the breach
• any other agencies on behalf of whom we are reporting the breach
• the steps the agency has taken to contain the breach and mitigate the harm cause to people by the breach
• how people can make a privacy complaint to the agency.

Depending on the circumstances, we may notify individuals directly or by publishing this information on our website.

What will we tell other agencies?

If we determine written notice to another agency is required under the Notification Scheme or otherwise warranted, we will generally tell the other agency the following information:

• how to contact us about the breach
• the date the data breach occurred, how the data breach occurred, and a description of the type of eligible data breach (e.g. access, disclosure, loss)
• a description of the kinds of personal information impacted by the breach
• the steps we are taking in relation to the breach.

We will keep records relating to the data breach, consistent with our obligations to maintain public records in accordance with the Public Records Act 2023 (Qld). The Privacy Team Officers will also maintain an internal register of any eligible data breaches, consistent with our obligation under the IP Act to keep a register of eligible data breaches of the agency.

We use secure systems to hold personal information and our public records in accordance with the requirements of IS18, and we take all reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.

We have implemented the following key processes to support expeditious management of data breaches:

• privacy policy
• data breach policy
• strategic plan
• annual privacy training.

For information about how we handle personal information more broadly, please refer to our privacy policy:

• for Treasury – available here
• for the Motor Accident Insurance Commission (MAIC) / Nominal Defendant (ND) (statutory bodies administered within Queensland Treasury) – available here.