1. Background
The Privacy Act imposes ongoing obligations to take reasonable steps to handle personal information in accordance with the Australian Privacy Principles. This includes protecting personal information from misuse and interference and loss, and from unauthorized access, modification or disclosure.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) incorporates mandatory data breach notification requirements into the Privacy Act 1988 (Cth). The new provisions come into effect on 22 February 2018.
To help ensure Connective is compliant with our obligations under the new requirements, and so that our brokers are clear about what we expect of them to support us in satisfying those obligations, Connective has developed this Connective Brokers Data Breach Notification Policy (the Policy). The Policy sets out Connective’s requirements for its brokers in managing data breaches that impact Personal Information collected (as defined below). Most importantly, the aim of this Policy is to enable our brokers to:
have open and prompt dialogue when suspecting, assessing and managing data breaches;
work together to remediate and minimize the risk of harm to individuals whose personal information is impacted by data breaches;
agree our notification responsibilities to the OAIC and affected individuals (especially if more than one organization is affected by a notifiable data breach, we need to coordinate on notifications to the OAIC and affected individuals); and
implement prevention plans to prevent data breaches from reoccurring.
2. Application
This Policy applies to Connective’s brokers (the Broker for the purposes of this Policy) who access or deal with Personal Information in the course of performing Connective Activities.
In this Policy, any personal information provided to a Broker by its customer in connection with, or related to, Connective Activities is referred to as “Personal Information”. A data breach occurs where there is unauthorized access to, or unauthorized disclosure or loss of, personal information.
This Policy sets out five key steps for a Broker to follow when it becomes aware or suspects that a data breach impacting its Personal Information has occurred. Any data breach or suspected data breach of Personal Information is referred to in this Policy as a “Notifiable Incident”.
All defined terms are capitalized in this Policy. Please refer to Section 6 for Definitions.
3. What to do if a Notifiable Incident arises
Notifiable Incidents are to be identified, notified, managed and remediated in accordance with this Policy. The five key steps for a Broker to follow when managing Notifiable Incidents are set out below:
Notification;
Remediation;
Investigation and Reporting;
Assisting Connective; and
prevention
Diagram A – Management of Notifiable Incidents
A. Notification
A Broker will immediately notify its Connective Partnership Manager or CSM as soon as it becomes aware of any grounds to believe or suspect that a Notifiable Incident has occurred using the Data Breach Incident Template in Appendix A.
If a Broker is unsure about whether to notify Connective of an incident, the Broker’s Partnership Manager or CSM needs to be notified as soon as practicable in order to have an open and prompt dialogue and if necessary, obtain further guidance.
If in doubt, the Broker should email [email protected] as soon as possible of an incident that could be a Notifiable Incident
When notifying Connective of any Notifiable Incident, Brokers need to provide the following information (to the extent then known):
(i) Nature and details of the Notifiable Incident
the date of the Notifiable Incident;
the date the Broker detected or suspected the Notifiable Incident;
description of the Notifiable Incident;
the types of personal information affected (or suspected to be affected) and if not specifically known, explain the types of information that are held on the relevant system that may be affected;
root cause of the Notifiable Incident (if known) e.g. malicious or criminal attack, system fault or human error or any control deficiencies or gaps; and
whether the personal information affected is protected by one or more security measures, e.g. is it encrypted, anonymized or otherwise not easily accessible to unauthorized parties
(ii) Possible impact of the Notifiable Incident
the number of individuals whose personal information is involved in the Notifiable Incident (if known)
(iii) Preliminary actions and recommendations
any action taken by the Broker to address the Notifiable Incident;
any action taken to mitigate the harm an individual may suffer as a result of the Notifiable Incident; and
recommendations for any actions that may or will be taken by the Broker, Connective and/or individuals who may be affected by the Notifiable Incident in order to mitigate its impact and prevent harm to affected individuals
Please note that Connective may also be obliged under its arrangements with its panel lenders to notify that lender of the Notifiable Incident and involve that lender in following steps outlined below.
B. Remedial Action
Immediately after becoming aware of the data breach or suspected data breach, a Broker will:
take all necessary and appropriate action to:
contain the data breach e.g. stop the unauthorized practice or recover the records;
mitigate potential loss or interference with Personal Information;
prevent harm to individuals as a result of the breach; and
protect the information from any further misuse, loss, access or disclosure; and
take immediate remedial action to prevent the likelihood of harm occurring for any individuals whose personal information is involved in the data breach. This could include, but is not limited to, the following examples:
Example 1:
A data file, which includes the personal information of numerous individuals, is sent to an incorrect known recipient outside the Broker’s organization. The sender realizes the error and contacts the recipient, who advises that the data file has not been accessed. The sender then advises the recipient that the file is not intended for them and confirms that the recipient has not copied, and has permanently deleted the data file (including, if necessary, by obtaining a Statutory Declaration from the recipient).
Example 2:
A Broker or one of its employees leaves a smartphone on public transport while on their way to work. When that person arrives at work they realize that the smartphone has been lost. The person asks their IT support staff to remotely delete the information on the smartphone. Because of the security measures on the smartphone and the fact that the deletion is actioned quickly, the IT support staff is confident that its contents could not have been accessed in the short period between when it was lost and when its contents were deleted.
Example 3:
A Broker’s administrative assistant has left hard copies of documents containing Personal Information in a service provider’s meeting room (and which the service provider would not otherwise have access to). The assistant takes immediate action by contacting the service provider to put away the documents in a safe place until the assistant returns to collect the documents. The supplier assures the employee that s/he has not accessed or disclosed the information while it was in his/her care. In this case, the assistant considers the supplier’s assurance to be credible and concludes unauthorized access or unauthorized disclosure has been adequately prevented from occurring. The assistant may also take the additional step of requiring the service provider to provide a written certification to Connective that they did not view, use or disclose the information while in their possession.
C. Investigation and Reporting
Immediately following notification to Connective under section 3A, a Broker will:
appoint an incident manager to lead the initial assessment and be the primary contact point with Connective concerning the Notifiable Incident;
investigate and complete an assessment of the Notifiable Incident (to the extent then known), within three (3) calendar days, including the possible impact of the Notifiable Incident and the likelihood of harm to any individuals to whom the impacted information relates;
identify and discuss with Connective the steps available to contain the breach e.g. stop the unauthorized practice or recover records, and action any agreed steps as soon as practicable, and within the timeframe reasonably required by Connective;
assess whether further remedial steps can be taken to mitigate the harm an individual may suffer as a result of the Notifiable Incident;
provide Connective with reasonable ongoing updates on results of the investigation, assessment and recommendations provided in accordance with section 3A above and this section 3C, at a frequency that reflects the severity of the Notifiable Incident, and until the remediation efforts are completed and the prevention plans (if applicable) implemented; and
use agreed communication mechanisms or processes for providing those updates.
D. Assisting Connective
Immediately following notification to Connective under section 3A, a Broker will:
provide all reasonable assistance requested by Connective in conducting Connective’s own investigation and assessment of the Notifiable Incident; and
comply with Connective’s reasonable directions in connection with management of the Notifiable Incident, including in relation to the prevention of future incidents.
Additionally, a Broker will:
work with Connective to determine whether the Notifiable Incident is likely to result in serious harm to affected individuals and therefore requires notification to the OAIC and affected individuals;
allow Connective to control the process of assessing and notifying affected individuals and the OAIC, and comply with Connective’s directions concerning those notifications if Connective determines that notification is required;
where together Connective and the Broker elect, for the Broker to manage the notification process (for example, where the Broker has the most direct relationship with affected individuals), consult with Connective in a timely manner and comply with Connective’s reasonable directions in relation to the notification process; and
consult with Connective and take into account Connective’s reasonable considerations before issuing any notifications or statements to the OAIC and affected individuals, except to the extent that it would prevent a Broker from complying with any laws (including privacy laws) and in which case, the Broker will provide Connective with copies of those notifications or statements as soon as practicable.
E. Prevention
Once:
a Notifiable Incident is contained;
risk of immediate harm is mitigated; and
any required notifications to the OAIC and affected individuals are issued,
a Broker will:
provide to Connective a final report which specifies:
the root cause of the Notifiable Incident; and
the corrective actions to be undertaken to prevent a repeat occurrence of the Notifiable Incident, which will be specified in a prevention plan to Connective’s reasonable satisfaction. The prevention plan could include, for example, a security audit to identify required uplifts to physical and technical security; changes to policies and procedures to reflect lessons learned from the incident and investigation; review of employee selection and training practices; and review of the Broker’s service delivery partners; and
implement the prevention plan.
3. Implementation of this Policy
To enable Connective to assess its ability to respond to Notifiable Incidents in accordance with its responsibilities, Connective may undertake periodic reviews (at a reasonable frequency) to test and validate compliance. These reviews may incorporate screening, self-assessments, direct engagement with Brokers, requests for supporting documents and data, external validation, and ongoing management and mitigation of material risks.
4. Further information
For further guidance on mandatory data breach notification under the Privacy Act, please refer to the Office of the Australian Information Commissioner’s (OAIC) website: www.oaic.gov.au
5. Definitions
Broker Related Party means an employee, contractor, administrative staff, service provider or related party or assists the Broker with the Connective Activities.
Connective means Connective Credit Services Pty Ltd, Connective Broker Services Pty Ltd, Connective Lender Services Pty Ltd, Connective Group Pty Ltd and their subsidiaries or related bodies corporate.
Connective Activities means any actions, roles, activities or functions which the Broker or a Broker Related Party engages in which would fall within the scope of full member agreement entered into by the Broker and Connective.
Connective Partnership Manager means the Connective Partnership Manager responsible for the relevant Broker.
Connective CSM means the Connective Compliance Support Manager responsible for the relevant Broker.
Notifiable Incident means any incident where a Broker becomes aware of any grounds to believe or suspect that there has been unauthorized access to, or disclosure or loss of, Personal Information.
OAIC means Office of the Australian Information Commissioner.
Personal Information has the definition for that term in the Privacy Act and includes any information or opinion, about an identified individual or an individual who can be reasonably identified from the information.
The information will still be personal information whether it is true or not and regardless of whether there is a record of it.
Personal information can be in any format. The definition is technology neutral and is not limited to information contained in records. Personal information might be contained in information that is shared verbally, captured digitally or recorded in writing. For example:
A recording of a call containing an individual’s voice may be that individual’s personal information where the recorded person can be reasonably identified (e.g. when the recording is linked to the customer’s file).
Images of individuals in photographs or video will be personal information where the person’s identity is clear or can be reasonably worked out from the image.
Privacy Act means Privacy Act 1998 (Cth).