Data Breach Policy and Procedure
The UNSW Data Breach Policy and Procedure sets out the policy principles and procedures for identifying, assessing, managing and responding to a breach of data held by UNSW.
It establishes responsibility and accountability for all steps in addressing information security incidents resulting in data breaches and describes clear roles and responsibilities. It also describes the principles and procedures relating to internal and external notification and communication of such data breaches.
The Policy and Procedure has been drafted in response to amendments to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) that came into effect on 28 November 2023. The principal amendment requires agencies to provide notifications to affected individuals and the Privacy Commissioner in the event of an ‘eligible data breach’ of their personal or health information by a NSW public sector agency subject to the PPIP Act (called the Mandatory Notification of Data Breach, or MNDB Scheme).
The Data Breach Policy and Procedure applies to all UNSW staff, students, contractors, consultants, third-party vendors and agents of the University.
Effective breach management assists UNSW in avoiding or reducing possible harm to both the affected individuals and UNSW and may prevent future breaches.