Managing secure information and notifying us of information or data security incidents

An information and data incident is any failure that has caused or has the potential to cause unauthorised access, use, disclosure, destruction, loss and/or alteration of data held by your organisation. It applies to data and records held in your ICT systems as well as records held in physical files.

Our interest is in incidents that involve the personal and health information about clients and their families, along with related program data, held by your organisation for the services you’re contracted to provide for DCJ.

Information and data incidents could be the result of hacking of your ICT system or data theft, or the result of human or technical error, or misadventure.

Some examples of information and data incidents are:

• deliberate interference with, or unauthorised accessing of electronic or physical records
• loss of electronic and/or physical records as a result of a fire or flood
• theft or loss of mobile storage devices, such as a USB or laptop
• an email involving client information sent to the wrong person
• unauthorised staff accidentally or deliberately accessing restricted documents
• someone from your organisation improperly sharing, or providing access to, sensitive information with a third party.

If a data breach is likely to result in serious harm, it is classified as an eligible data breach under the Mandatory Notification of Data Breach (MNDB) Scheme. Serious harm includes physical, financial, material, emotional or psychological harm.

It is important that you report any incident that involves data relating to the services you’re contracted to provide for DCJ. We will work with you to assess the impact on clients and determine if the incident is an eligible data breach.