Managing secure information and notifying us of information or data security incidents
The obligations and requirements for service providers to maintain secure information, and notify us when an actual or suspected information or data security incident is detected. This policy applies to all electronic and physical data storage.
Frequently asked questions
This page provides answers to the questions received from service providers following the launch of DCJ's information security policy on 15 February 2021.
- Who does this information security policy apply to?
- Is it necessary for my organisation to notify DCJ of all data security breaches?
- The policy requires my organisation to provide a report to DCJ on the early investigation and findings of an incident, within 48 hours. What if all information required in the report is not available within the timeframe?
- When should my organisation report an information security incident to the Information and Privacy Commissioner (IPC)? And if the IPC provides advice, how does this work with DCJ’s requirements?
- What if we are unable to provide all the information required in the online notification form? Should we still submit the form?
- Does DCJ require evidence of an IT security risk assessment if our organisation receives and retains DCJ data on our databases?
1. Who does this information security policy apply to?
The policy covers all DCJ contracted programs. This includes programs in youth justice, community corrections, child & family, housing, homelessness, disability and community inclusion.
For other programs outside this remit, such as Legal Aid NSW contracted programs, a provider may wish to use the policy as a good practice, however, it is not a contract requirement.
2. Is it necessary for my organisation to notify DCJ of all data security breaches?
DCJ’s interest is in any incidents that involves personal information about clients and their families, along with related program data, held by your organisation for the services you are contracted to deliver on our behalf.
It is important that your organisation does not delay in providing advice of an information security breach that involves client or program information and that this advice is made as soon as it is detected. This allows DCJ to assess the impact on systems and client information, and to provide support to you or identify where action needs to be taken by DCJ.
For incidents not related to DCJ contracted programs and clients – those incidents are a matter for the provider and are not of an interest to DCJ.
3. The policy requires my organisation to provide a report to DCJ on the early investigation and findings of an incident, within 48 hours. What if all information required in the report is not available within the timeframe?
Our policy requires organisations to complete an online notification form as soon as you are aware of an incident.
Subsequently we ask that you complete a preliminary Information security incident report with 48 hours. The purpose of the report is to gather relevant information about the incident to assist DCJ to understand any impact and if any action needs to be taken.
Provider’s may use their own report template, as long it provides similar information to assist DCJ understand the impact of the incident. We appreciate that the full impact of incidents may take weeks or months to emerge and that this will influence an organisation’s ability to report full details. Nevertheless, an early report with as much detail as possible will help us both to respond quickly and adequately.
Our intention is that relevant DCJ staff (usually your contract manager and our information security staff) will continue to work with you to support your ongoing response and actions to mitigate or minimise risks.
4. When should my organisation report an information security incident to the Information and Privacy Commissioner (IPC)? And if the IPC provides advice, how does this work with DCJ’s requirements?
You may have an obligation to notify the NSW Information and Privacy Commissioner about the breach. You can consult the resources developed by Justice Connect to help you understand your obligations.
DCJ will liaise with you on any appropriate action to be taken that is required by the Information and Privacy Commissioner. As a Government agency, we may also have an obligation to report on the impact of the incident to the Information and Privacy Commissioner as part of DCJ requirements. This action would be taken in conjunction with the organisation and based on advice by our Privacy/Legal team.
If the Information and Privacy Commissioner requires specific action to be taken by DCJ and / or your organisation we will work with you, for example to notify affected individuals. We’ll also continue to work with you to rectify the situation, protect client data and meet your contractual and legal obligations to protect client information and privacy.
DCJ may discuss with you if any necessary action is required to address obligations as part of your contract. We will work with you to ensure these align and do not conflict with advice provided by the Information and Privacy Commissioner. Whatever the circumstance, DCJ will be there to support your organisation.
5. What if we are unable to provide all the information required in the online notification form? Should we still submit the form?
Yes.
An early alert to DCJ through the on-line notification form is important to assist us understand if there is a possible impact on our systems. We still need you to alert us as soon as possible.
We recognise that it will take time to investigate the incident, so the best advice is to keep in touch with your DCJ contract manager. When completing the form if the information is not available immediately please provide as much detail as it becomes is available.
6. Does DCJ require evidence of an IT security risk assessment if our organisation receives and retains DCJ data on our databases?
No.
This is because all human service contracts have privacy and information security obligations, either specifically or as a general obligation to comply with relevant laws to ensure protection and confidentiality of information. Your organisation is responsible to manage these obligations and any potential breaches.
In consultation with your organisation, DCJ may suggest areas of improvement or require changes if warranted.