1. Policy statement

Darling Downs Health is committed to ensuring processes and strategies meet the requirements for responding to a data breach, including an ‘eligible data breach’, in accordance with the Mandatory Notification of Data Breach (MNDB) scheme under the Information Privacy Act 2009 (Qld) (IP Act).

2. Scope

This policy applies to the Darling Downs Hospital and Health Board, all permanent, temporary and casual employees, and all organisations and individuals acting as their agents (including visiting medical officers, other partners, contractors, consultants, and volunteers) working within and for Darling Downs Health.

3. Purpose and intent of this policy

This policy provides the principles for Darling Downs Health to meet the legislative requirements of the MNDB scheme and take all reasonable steps to respond to a data breach, through containment, mitigation, assessment, and notification to relevant parties.

4. Principles

Data breaches can vary in size and complexity, and the consequences can be significant for individuals whose information is involved. The MNDB scheme requires:

Where it is known or reasonably suspected that a data breach is an eligible data breach, Darling Downs Health must:
- immediately respond and continue to take all reasonable steps to:
  - contain the data breach
  - mitigate the harm caused by the breach
- if there is uncertainty as to whether the data breach is eligible, assess whether there are reasonable grounds to believe the data breach is an eligible data breach, within 30 days.
Where it is known or reasonably believed the data breach is an eligible data breach, Darling Downs Health must, as soon as practicable:
- notify the Information Commissioner
- notify particular individuals
Darling Downs Health must also:
- ensure its data breach policy and response plan is maintained and published
- maintain an internal register of eligible data breaches

4.1 Personal information

The MNDB scheme applies to personal information, other than personal information in a document to which the privacy principle requirements do not apply, held by Darling Downs Health.

‘Personal information’ means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion –

whether the information or opinion is true or not
whether the information of opinion is recorded in a material form or not.

For more information about how Darling Downs Health handles personal and sensitive information, please see the Privacy Policy – Queensland Privacy Principles.

4.2 Information held by Darling Downs Health

Personal information ‘held’ by Darling Downs Health is defined as:

Personal information is held by a relevant entity, or the entity holds personal information, if the personal information is contained in a document in the possession, or under the control, of the relevant entity.

This includes situations where Darling Downs Health may not be in physical possession of the relevant document containing personal information, but still retains a legal power or a right to deal with the information.

Examples of physical possession of information include documents stored in data drives or Information Technology (IT) systems, and hard copy documents in a paper file or physical storage repository.

Examples of documents in the ‘control’ of Darling Downs Health include documents provided to a legal services provider for the purposes of seeking advice, or documents Darling Downs Health may require a service provider to provide under the terms of a service agreement.

4.3 Eligible data breach

A data breach is unauthorised access to, or unauthorised disclosure of, any information held by Darling Downs Health, or the loss of information in circumstances where unauthorised access to or unauthorised disclosure of information is likely to occur.

An ‘eligible data breach’ for the purposes of the MNDB scheme, is a data breach that involves personal information.

Where Darling Downs Health knows of or reasonably suspects a data breach occurring, the responsible officer/s must be notified as soon as possible and undertake an assessment of the breach to consider the response required, in line with the Data Breach Response Plan.

An eligible data breach under the MNDB scheme applies when:

there is unauthorised access to, or unauthorised disclosure of, personal information held by Darling Downs Health, or there is a loss of personal information held by Darling Downs Health in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and
the unauthorised access to, or disclosure of the information is likely to result in serious harm to an individual to whom the personal information relates (an ‘affected individual’).

4.4 Serious harm

Serious harm occurs where the harm arising from the data breach has or may result in a real and substantial detrimental effect to an individual, and can include serious physical, psychological, emotional, financial, or reputational harm. Other types of harm may also meet the ‘serious’ threshold, but the effect on an individual must be more than irritation, annoyance, or inconvenience.

Factors to consider:

the kind of personal information accessed, disclosed, or lost
the sensitivity of the personal information
whether the personal information is protected by one or more security measures and the likelihood that any of those measures could be overcome
the kind of person/s who have or could obtain the personal information
the nature of the harm likely to result from the breach
any other relevant matter.

‘Likely to result’ requires the risk of serious harm to an individual be more than merely possible; it must be more probable than not to occur. It is not necessary to identify the specific individuals who may be harmed in order to determine that serious harm is likely to result for one or more individuals.

If doubt or ambiguity exists as to whether a data breach is likely to result in serious harm, the responsible officer/s should err on the side of caution and treat the data breach as an eligible data breach.

4.5 Responding to a data breach

4.5.1 Preparation

Darling Downs Health has established controls, systems and processes to effectively identify and manage data breaches. Technological measures for real-time detection are utilised to ensure prevention and early identification of data breaches.

Darling Downs Health has clear processes in place to respond to any data breach incident, including a Data Breach Response Plan, Cyber Incident Response Sub-plan, and Information Security Management System (ISMS) Manual.

Darling Downs Health provides appropriate training to staff in identifying, responding to and managing data breaches.

Darling Downs Health has a Data Breach Response Team, led by the Director, Office of the Chief Executive (DOCE), which leads responses to any data breach.

4.5.2 Identification

A data breach most commonly, but not exclusively, occurs when there has been unauthorised access to, loss or modification of, or the unauthorised collection, use, or disclosure of information assets.

Data breaches, including ‘near misses’, can occur because of a technical problem, human error, inadequate policies or training, a misunderstanding of obligations, non-compliance with policy and procedure, or a deliberate act.

Data breaches will be reported by staff or contracted services providers to the DOCE.

If a member of the public or another agency identifies a data breach, they can report this to the Office of the Chief Executive, via DDHHS@health.qld.gov.au

4.5.3 Contain and mitigate

If it is known or reasonably suspected that a data breach is an eligible data breach involving personal information held by Darling Downs Health, Darling Downs Health must immediately take, and continue to take, all reasonable steps to contain the data breach and mitigate the harm caused by the data breach, including:

making efforts to recover the personal information
securing, restricting access, or shutting down the breached systems
suspending the activity that led to the data breach
revoking or changing access codes or passwords.

The Data Breach Response Team will ensure they have appropriate clearance before shutting down any systems. It is, however, important to take such action as quickly as possible, as appropriate remedial action can forestall any notification requirements.

Each data breach requires a different approach, especially in the context of containment and mitigation. The Data Breach Response Team will have consideration of the relevant context of the data breach to inform measures that need to be taken. The Data Breach Response Team will undertake an assessment to determine if the breach is low, medium or high risk, taking into consideration the following factors to determine which containment measures may be appropriate:

what happened to cause the incident
can interim controls be implemented
how serious is the incident (i.e. what information and individuals are impacted)
does the health service need to work with any third parties to investigate and resolve the incident
is internal assistance from other business areas required (e.g. information security)
can the personal information be recovered
can the person who has received information incorrectly be contacted
can the system which has been breached be shut down
can the activity that led to the breach be stopped
can access codes or passwords be revoked or changed, and
did the data breach occur due to the actions of an external party (i.e. a cyber-attack)?

The Data Breach Response Team will consider available remedial action, and carefully document the steps taken and impact the remedial action had on the actual or potential harm facing affected individuals.

If a third party is in possession of the personal information and declines to return it, it may be necessary to seek legal advice on what action can be taken to recover the information. When recovering information, Darling Downs Health should also take steps to ascertain whether the information has been shared or disseminated and ensure copies have not been made, or that all copies are recovered.

While containing an eligible or suspected eligible data breach, responsible officer/s must be careful not to destroy information that may be required as part of an investigation into the breach.

4.5.4 Assess

If Darling Downs Health does not know if a data breach is an eligible data breach, it must assess whether there are reasonable grounds to believe it is an eligible data breach. The DOCE will be the lead contact for all aspects of the initial assessment and investigation.

Darling Downs Health must take all reasonable steps to complete an assessment within 30 calendar days after the day it becomes aware of the grounds to suspect the data breach but is not yet certain that it is an eligible data breach. If Darling Downs Health is satisfied that it will be unable to complete the assessment in 30 days, it can extend that time under section 49 of the IP Act.

The assessment should address the factors listed at 4.4 Serious Harm, along with other relevant factors, including:

is the personal information likely to have been lost, disclosed or accessed
length of applicable outage
what type and volume of personal information does the breach involve
what types of individuals and how many are or may be affected by the breach (take note if they are a particularly vulnerable demographic)
what was the cause of the breach and is a supplier involved
what is the extent of the breach, including the period of the breach
if the breach was caused by third party interference (hacking), what are the possible motives behind the breach, and is malicious use of the information a possibility
what are the possible harms that may occur to individuals affected by the breach
how serious is the harm and is that potentially serious harm likely to occur to anyone
how can the breach be contained and remediated and if lost, secured or recovered so that an exception applies (remedial action in relation to the access, disclosure, loss) including confirmation is encrypted and encryption key is safe
is the information subject to the actual or suspected access, loss or disclosure stored by an international database
an initial view as to whether notification is likely to be required under the IP Act.

The assessment and reasons for the decision as to whether a data breach is an eligible data breach should be recorded in writing and included in the material facts of the specific breach.

4.5.5 Notification

Depending on the context of the breach, Darling Downs Health must notify other parties of eligible or suspected eligible data breaches, including:

other agencies, if affected by the data breach
any individuals affected by the data breach
the Information Commissioner.

As soon as practicable after forming the belief that there has been an eligible data breach, the Data Breach Response Team must prepare a notification statement and provide it to the Information Commissioner. Individuals / organisations affected by an eligible data breach must be notified (whether directly or indirectly) as soon as practicable.

Exemptions from notification obligations

Circumstances where Darling Downs Health is not required to comply with the notification obligations may include when:

complying with the obligation would be likely to prejudice an investigation that could lead to the prosecution of an offence or proceedings before a court or tribunal
the eligible data breach involves more than one agency, and another agency is undertaking the notification obligations
the health service has taken specified remedial action under section 57 of the IP Act
compliance would be inconsistent with a provision of an Act of the Commonwealth or a State that prohibits or regulates the use or disclosure of the information
compliance would create a serious risk of harm to an individual’s health or safety
compliance is likely to compromise or worsen Darling Downs Health’s cybersecurity posture or lead to further data breaches.

4.5.6 Register of eligible data breaches and recordkeeping

Darling Downs Health must maintain an internal register of eligible data breaches and publish a data breach policy on its website.

The DOCE is responsible for:

preserving any relevant evidence and records/information relating to the breach or investigation process, including breaches that do not get escalated to the Data Breach Response Team or do not meet the eligible data breach threshold
ensuring records are kept of all steps taken in response to the data breach or and any other decisions made in connection with it.

Relevant evidence is stored securely, quarantined and recorded.

4.5.7 Post data breach review and remediation

The Data Breach Response Team must document the process of any remedial action and ensure there is a record of the rationale and reasoning behind each conclusion.

If the data breach required Darling Downs Health to notify the Information Commissioner, after the breach has been closed, Darling Downs Health will review:

how it responded to the data breach
the effectiveness of the Data Breach Policy

and provide a recommendation on any changes to processes or procedures that are required to proactively manage future data breaches.

Each quarter, the Data Breach Response Team, through the DOCE, must supply the Darling Downs Health Risk and Compliance team with a de-identified report of all incidents of potential inappropriate access, for compliance reporting to the Darling Downs Health Audit and Risk Committee.

4.6 Delegation

The Health Service Chief Executive is responsible for the organisation-wide oversight of this policy.

5. Related policies – Darling Downs Health

6. Supporting documents – External

Queensland Privacy Principles

7. Related standards

NSQHS Standard 1 – Clinical Governance
NSQHS Standard 2 – Partnering with consumers
NSQHS Standard 6 – Communicating for safety

8. Definitions

Term	Definition
Affected individual	An affected individual is someone whose personal information has been involved in an eligible data breach and who is likely to experience serious harm as a result.
Data breach	A data breach means either of the following in relation to information held by Darling Downs Health: Unauthorised access to, or unauthorised disclosure of, the information. The loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur. Schedule 5 of the IP Act
Data breach policy	This policy
Eligible data breach	An eligible data breach will have occurred under section 47 of the IP Act where: there has been unauthorised access to, or unauthorised disclosure of personal information held by Darling Downs Health, or loss of personal information held by Darling Downs Health that is likely to result in unauthorised access to, or unauthorised disclosure of the personal information, and the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Held or holds	Personal information is held by a relevant entity, or the entity holds personal information, if the personal information is contained in a document in the possession, or under the control, of the relevant entity.
Information Commissioner	The Queensland Information Commissioner
IP Act	The Information Privacy Act 2009 (Qld)
Likely to result	Likely to result requires the risk of serious harm to an individual to be more than merely possible; it must be more probable than not to occur.
Loss	Loss of personal information involves Darling Downs Health no longer having possession or control of the information. Loss may occur because of a deliberate or accidental act or omission of Darling Downs Health or due to the deliberate action of a third party.
Particular individuals	Particular individuals in the case of an eligible data breach are: the individuals whose personal information has been accessed, disclosed or lost; or affected individuals for the data breach.
Personal information	Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion – Whether the information or opinion is true or not – Whether the information or opinion is recorded in a material form or not. (Section 12 of the IP Act)
Serious harm	Serious harm includes serious physical, psychological, emotional, financial or reputational harm to an individual because of the access or disclosure. Other forms of harm can also meet the serious threshold.
Unauthorised access	Unauthorised access to personal information occurs when information held by Darling Downs Health is accessed by someone who is not authorised to do so.
Unauthorised disclosure	Unauthorised disclosure occurs when Darling Downs Health intentionally or unintentionally discloses personal information when Darling Downs Health does not have permission or is not entitled to make that disclosure.

9. References / Compliance requirements and obligations

Information Privacy Act 2009 (Qld)
Information Privacy and Other Legislation Amendment Act 2023 (Qld)
Public Records Act 2023 (Qld)

Data Breach Policy