Breach Procedure And Response Plan: Policy, Applicability, And Procedures

Policy Statement

Discuss about the Breach Procedure and Response Plan.

The Charles Darwin University, Australia will investigate as well as provide notice regarding the information security breaches to the individuals who are affected by the act of breaching and / or the State and the Federal agencies as per the requirements of the State and Federation.

The policy for the data breach notification defines the steps that personnel must use for ensuring that the information incidents in the university are appropriately identified, investigated, contained as well as remedied. It also gives an account of the procedures for proper documentation, proper reporting of the issues both internally and externally, and communication so that it serves as a learning process for the organization.  It also establishes the accountability as well as responsibility for all the steps that are involved in the process of addressing the incidents of the information security (Australian Catholic University, 2018).

The policy is applicable to all the users of the Protected Personal Data (PPD), whether they are the students, faculties, staff members, consultants, contractors, agents or other people who are involved in the conduction of the functions of the university. This policy is also applicable to any data storing or computing devices either owned or leased by the university which may experience a Security incident and other data storing or computing device that is used by the University, regardless of its ownership, to store the Protected Personal Data, or which, if stolen, lost or compromised, and is based on its privileged access, may lead to the disclosure of the Protected Personal Data of the University in an unauthorized manner (American University, 2018).

Notification: It can be defined as the act of informing people, who are affected by the act of breaching of PPD, that the information possessed by them is included in the act of breach and elaborates an account of the steps that they may take to protect their privacy and themselves (U.S. Department of Health & Human Services, 2018).  Notification also includes the act of providing notice to the state as well as the federal agencies which are involved in the act. The Notification which will be provided to the individuals affected by the act of breaching will be overseen by the Chief Privacy Officer Services. Depending on the type of data breached, the following components may also be included in the Notification-

• The type of the personal information affected;
• Description of the unauthorized acquisition or access;
• Description of the measures that the University will be taking in order to ensure the protection of the information from any further unauthorized acquisition or access;
• All the necessary information as well as the instructions for providing notification to then credit agencies of suspected or potential identity theft as required; and
• The name and the number of the person to be contacted for obtaining more resources as well as information (a toll free number) (University of Vermont, 2016)

Personal Protected Data (PPD): this data includes protected health information (PHI), protected student information (PSI) and personally identifiable information (PII) which are described below. The data maintained either through the hard copy medium or in any electronic medium is included in PPD.

• Personally Identifiable Information (PII): according to the Notifiable Data Breach Schemes mentioned under the Part IIIC of the Privacy Act 1988, PII can be defined as the first initial name or the last name of the individual in combination with the following data elements, when neither the data elements or the names are encrypted, protected or redacted by any other method which renders them unusable by any unauthorized person (Grimes, 2018):
• License number of the operator’s Motor vehicle
• Social security number
• Personal identification numbers or account passwords for the financial account
• Credit or debit card number (Australian Government, 2018)
• Protected Student Information (PSI): the education records of the students that are maintained by the university, either by the administrative and the academic units
• Protected Health Information (PHI): it includes the identifiable health information that is defined in Healthcare Identifiers Act 2010 or the Personally Controlled Electronic Health Records Act 2012. It also includes the identifiable health information which is obtained by the member of the university who is pursuant to any governmental entity or other organizations (Australian Government, 2015).

Reason for the Policy development

According to the Privacy Act of 1988 set by the Australian government, security breach can be described as the unauthorized access to the personal information or the loss of personal information by any individual by the university or any of its departments. The Notifiable data breach can result into serious harm and needs to be notified on an immediate basis to the Australian Information Commissioner as well as the affected individuals (The Australian National University, 2018). It can also be defined as the unauthorized acquisition of the electronic data which comprises of the confidentiality, integrity as well as security of PII which is maintained by the Charles Darwin University.  

It also includes reasonable belief of the unauthorized acquisition or actual unauthorized acquisition of the PSI or PII which the management if the university determines in order to provide the notification to the affected people notwithstanding the lack of any regulatory obligations to perform such act (Roman, 2015).

• The data breach in CDU may be discovered by any member of the staff of the university or any member of the CDU can be alerted by other system or party regarding the data or information breach.
• After the staff member of the University discovers a data breach or suspects it, he/she immediately needs to notify the Privacy officer of the University. He also must provide all the details regarding the discovery of the breach, such as the time, date and type of the personal information involved in the act of breaching (Identity Theft Resource Center, 2017).
• The CDU and its privacy officers must identify the immediate steps that can be taken and implemented in order to contain the breach. The extent and impact of the breach decide the need for notifying OAIC for the act of breaching.
• The user also needs to be asked for the following information:
• The contact information of the user
• The department of the University involved in the breaching act
• A general description of the breaching act
• A general description of the PPD affected (Office of the Information Commissioner Northern Territory, 2018).

• After the initial investigation of the breach, the Privacy officer decides whether the breach lies under the category of the notifiable breach or not. For this, a reasonable assessment will be conducted in order to determine the impact and scale of breach.
• The CDU Privacy officer will try to collect as much information as possible to assess the breach. The officer may need to seek information from the other departments as well as areas of the university and the departments need to cooperate with the Privacy officer to get to the root of the information regarding the breach.
• If the impact of the breach is high and it may cause some serious harm to the affected person, the Privacy Officer of the University will report the breach to the office of the Information Commissioner in the Northern Territory. The assessment of the suspected or conducted breach must be completed in the fastest possible manner and completed within a tine period of 30 days from the date of reporting of the breach.
• The assessment of the breach will give an account of the actions that must be taken and the actions need to be documented and implemented as early as possible.
• There is no defined protocol for the dealing with the data breaches as they need to be dealt with on a case-by-case basis and using the assessment of the risk to determine the appropriate course of action (Australian Government, 2017)
• Four key steps are needed to be considered while dealing as well as responding to the data breaches-
• Containment of the breach and performing a preliminary assessment
• Evaluation of the risks associated with the breach
• Notification to the affected individuals and NT Information Officer
• Prevention of the future breaches

If the PPD is breached, the affected individuals must receive the notice of incident immediately, without unreasonable delay, and notice must be consistent with the legal needs of the law enforcement agency of the Northern territory. 

If PHI is breached, the affected individuals must be provided with the notice within a time duration of 60 days from the identification of the breach.

If PII is breached, the affected individuals need to be provided with the notice as pee the legal requirements.

The documentation responsibilities include-

• Log of the incidents of breaching received
• The outcome of the process of evaluation
• Identification of the responsible department
• The documents of Notice provided to the affected individuals State Offices, Federal offices and business associates.

Questions related to the operational implementation of the data breach policy of the University must be directed towards:

Chief Information Officer and Chief Privacy Officer

Contact number: XXXXX

References

American University (2018) University Policy: Data Breach Notification Policy. American University.

Australian Catholic University (2018) Data Breach Procedure and Response Plan [Online]. Available from: https://www.acu.edu.au/policies/governance/privacy_policy_and_procedure/privacy_procedures/privacy_breach_procedure [Accessed 14 May 2018].

Australian Government (2015) Guide to securing personal information [Online]. Available from: https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information [Accessed 14 May 2018].

Australian Government (2017) Assessing a suspected data breach [Online]. Available from: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/assessing-a-suspected-data-breach [Accessed 14 May 2018].

Australian Government (2018) Notifiable Data Breaches scheme [Online]. Available from: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme [Accessed 14 May 2018].

Grimes, R.A. (2018) What is personally identifiable information (PII)? How to protect it under GDPR [Online]. Available from: https://www.csoonline.com/article/3215864/privacy/how-to-protect-personally-identifiable-information-pii-under-gdpr.html [Accessed 14 May 2018].

Identity Theft Resource Center (2017) Data breaches [Online]. Available from: https://www.idtheftcenter.org/data-breaches.html [Accessed 14 May 2018].

Office of the Information Commissioner Northern Territory (2018. Information Privacy Principles [Online]. Available from: https://infocomm.nt.gov.au/privacy/information-privacy-principles [Accessed 14 May 2018].

Roman, J. (2015) Universities: Prime Breach Targets [Online]. Available from: https://www.databreachtoday.asia/universities-prime-breach-targets-a-7865 [Accessed 14 May 2018].

The Australian National University (2018) Guideline: Data breach response plan [Online]. Available from: https://policies.anu.edu.au/ppl/document/ANUP_017609 [Accessed 14 May 2018].

U.S. Department of Health & Human Services (2018) Breach Notification Rule [Online]. Available from: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html [Accessed 14 May 2018].

University of Vermont (2016) Data Breach Notification. University of Vermont.