Skip to main content
Office of Sport

Data breach policy

The Office of Sport takes the privacy of our clients, stakeholders and staff seriously. This policy outlines how we respond to a data breach involving personal or health information, including the actions and responsibilities required to manage, contain and report a breach.

On this page

About our data breach policy

Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information, and give rise to a range of actual or potential harms to individuals, agencies and agencies. Although there is a lot of overlap between information security incidents and data breaches, they are not exactly the same.  Some cybersecurity incidents will not impact on anyone’s personal information. Some data breaches will involve only hard copy information such as paper files.

This Policy covers the key actions and responsibilities to be followed in the event of a data breach that involves personal and/or health information.

The policy document:

  • Applies to all suspected and actual data breaches involving personal information. 
  • Supports the Office’s obligations under the Mandatory Notification of Data Breach (MNDB) Scheme and Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW).
  • Supports the Office’s obligations under the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) in the case of data breaches involving  tax file numbers (TFN).

Staff should consult the Data Breach Response Plan (for internal use only) on the Office’s intranet for more detailed information on data breach response management.

CollectThe process of obtaining personal information.
Data breach 

Occurs when either:

 

  • There is unauthorised access to, or unauthorised disclosure of, personal information held by the Office .
  • Personal information held by the Office is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur.

Eligible data breach

 

A data breach where a reasonable person would conclude that the data breach is more likely than not to result in serious harm to an individual to whom the information relates. 

To avoid doubt an eligible data breach may include: 

  1. a data breach that occurs within a public sector agency
  2. a data breach that occurs between public sector agencies
  3. data breach that occurs by an external person or entity accessing data held by a public sector agency without authorization.
EmployeesAny person employed or engaged by the Office including volunteers, consultants and contractors.
Health Information

A particular kind of personal information, namely information or an opinion about an individual’s physical or mental health or disability or the provision of a health service to an individual. It also includes an individual’s wishes about future healthcare.

HPPs

Health Privacy Principles in the HRIP Act

 

HRIPA

Health Records and Information Privacy Act 2002

 

IPPs

Information Protection Principles in the PPIP Act

 

MNDB

Mandatory Notification of Data Breach scheme under Part 6A of the Privacy and Personal Information Protection Act 1998. 

 

Office

Refers to the Office of Sport. 

 

Personal Information

Information or an opinion about an individual whose identity is apparent or can reasonably be ascertained either from:

 

  • the information or opinion itself 
  • other means, such as combining the information or opinion.
  1.  

Any information about a reasonably identifiable individual is personal information. For this policy, personal information includes health information.

Personal Information may include information about  staff, sport and recreation clients, combatants, grant contacts and other contacts. It may include details such as name, address, telephone number, email address, date of birth or TFN. 

 

PPIPA

Privacy and Personal Information Protection Act 1998

 

Serious harm

‘Serious harm’ includes such things as serious physical, psychological, emotional, financial, or reputational harm.

Examples of harms could include identity theft, financial loss or blackmail, threats to personal safety, loss of business or employment opportunities, humiliation, stigma, embarrassment, damage to reputation or relationships, discrimination, bullying, marginalisation, or other forms of disadvantage or exclusion.

Deputy Secretary

  • Decides whether a suspected eligible data breach is an actual eligible data breach.
  • In the case of a confirmed eligible data breach, notifies the NSW Privacy Commissioner using the approved Information and Privacy Commission form.
  • In the case of a confirmed eligible data breach, notifies affected individuals.
  • Asks the response team to carry out an assessment and advise relevant authorities 
  • Determines whether an exemption applies, the exemption type and duration and advises the NSW Privacy Commissioner
  • Provides further information to the NSW Privacy Commissioner as required.
     

    Privacy Officer

  • Assesses whether a suspected eligible data breach is an actual eligible data breach.
  • Assembles, leads and assigns tasks to the Response Team
  • Conducts a review of the response and update relevant policies and procedures if necessary
  • Notifies the affected individuals
  • Ensures approved recommendations from the data breach report are implemented.
     

    Response Team

  • Conducts assessments, report on the data breach including recommendations and lessons learned
  • Decided on the notification methods and message content.
     

    All Staff

  • Ensures all data breaches are reported to the Privacy Officer.
  • Takes reasonable steps to contain and mitigate any data breach
  • Completes privacy and data breach training.

The data breach response process

Staff must report suspected data breaches to the Privacy Officer and work with the response team as outlined in the Privacy Data Breach Plan – Staff Only.

The Office of Sport seeks to negotiate contract terms that require service providers to:

  • comply with the Information Protection Principles and Health Protection Principles (or equivalent Australian Privacy Principles)
  • promptly report to the Office  any data breaches affecting the Office
  • cooperate with the Office in containing, mitigating, investigating and assessing data breaches.

  • Staff who identify a suspected data breach has occurred must report it to the:
    • Privacy Officer 
    • IM&T Manager for all digital data breaches
    • Deputy Secretary for serious harm data breaches

  • The Privacy Officer is to take all realistic steps to contain the breach and minimise its impact
  • For all digital data breaches, the IM&T team are to commence the steps required as outlined in the Open Government, Information and Privacy (Legal) (OGIP) Data Breach Response Plan and provide relevant information to the Privacy Officer.
  • Create a preliminary Response Team.
  • Where a data breach involves a third party, the Privacy Officer is to work with the Legal and Procurement teams to review the relevant contract to understand the rights and obligations for both the Office and the third party.

  • Conduct preliminary fact-finding about the breach, including type of data (e.g., check if Tax File Numbers were involved), cause, risk of spread, options to mitigate, and the location of the individuals affected. 
  • Make a preliminary assessment of the risk posed by the breach, as Low, Medium or High, according to the criteria above. Document this decision using the Response Report in Appendix A to the Privacy Data Breach Plan.
  • Consider who else needs to be informed about the breach, and/or involved in the Response Team, depending on the risk level.
  • Consider whether to involve any other external parties at this stage.

  • Notification to the NSW Privacy Commissioner is required under the MNDB scheme where the initial assessment has identified eligible data was contained in the breach and there is a likelihood of serious harm to any individual. 
  • Where a suspected eligible digital data breach is identified IM&T team is required to notify the OGIP. 
  • If the data breach involves TFNs, notification to the Australian Privacy Commissioner is required.
  • The Deputy Secretary / Privacy Officer may also need to notify the following:
    • Cybersecurity NSW
    • iCare
    • IDCARE
    • ID Support
    • Privacy Commissioner
    • law enforcement bodies
    • other agencies affected by the breach.

  • For any High Risk or Medium Risk breaches the Privacy Officer must submit a report within 10 working days to the Deputy Secretary outlining the organisational response and mitigation plan.
  • Add data breach details to the following registers:
    • Public Notification Register
    • Internal Data Breach Register.

  • A review of the process is to be conducted and reported to the Deputy Secretary with details of any recommendations and saved for future reference.
  • The review is to include:
    • Effectiveness of the Office’s Data Breach Policy
    • Effectiveness of the incident response process
    • Lessons learned and root cause analysis
    • If required, review of systems, policies, procedures and training related to the breach.

Record keeping requirements

Records of data breaches are stored and maintained in accordance with the Office of Sport Records Management Policy (staff only) and the State Records Act 1998 (NSW).  The Office maintains a log of data breaches.

Mandatory tools and templates

Supporting tools, resources and related information

Commonwealth legislation

NSW legislation

Policies and procedures

  • Privacy Management Procedure 
  • Privacy Data Breach Response Plan – Staff Only
  • Code of Conduct and Ethics
  • Child Safe Professional Standards 
  • Cyber Security Policy Framework

Contacts


Office of Sport contacts

Office of Sport Privacy Officer
Email: privacy@sport.nsw.gov.au
Phone: 13 13 02
Address: Level 3, 6B Figtree Drive, Sydney Olympic Park NSW 2127
Postal: Locked Bag 1422, Silverwater NSW 2128

External contacts

Information and Privacy Commission
Email: ipcinfo@ipc.nsw.gov.au
Phone: 1800 472 679
Address: Level 15, McKell Building, 2-24 Rawson Place, Haymarket NSW 2000
Postal: GPO Box 7011, Sydney NSW 2001

Office of the Australian Information Commissioner (OAIC)
Phone: 1300 363 992
Postal: GPO Box 5288; SYDNEY NSW 2001
Website: www.oaic.gov.au

National Identity & Cyber Support Service (IDCARE)
Phone: 1800 595 160
Website: www.idcare.org

Top of page