Managing secure information and notifying us of information or data security incidents
Last published 22 Dec 2023
The obligations and requirements for service providers to maintain secure information, and notify us when an actual or suspected information or data security incident is detected. This policy applies to all electronic and physical data storage.
Your obligations for maintaining secure information
Your organisation holds private information about clients and families who access the services you deliver on our behalf.
You’re required to comply with the requirements of relevant Commonwealth and NSW legislation and policy, as well as the provisions of your contract with us, in relation to privacy, information management and your information and communications technology (ICT) systems.
This means being aware of the privacy obligations for your organisation and its staff in relation to the collection, storage, use, disclosure and destruction of personal information under the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act). This includes the Mandatory Notification of Data Breach (MNDB) Scheme under Part 6A of the PPIP Act which took effect on 28 November 2023.
We expect your organisation to establish, maintain, enforce and continually improve policies, procedures and safeguards to protect the personal and confidential data held in your electronic and physical files against unauthorised access, use, disclosure, destruction, loss and alteration. This includes ensuring your staff, subcontractors and governing body are aware of their obligations in relation to information and data security, and are aware of the resources available to assist you.
If your organisation detects an actual or suspected information or data security incident, you’re required to notify DCJ and keep us informed of progress until its resolution.
These requirements:
- are in addition to any specific provisions for privacy and information security that may be specified in your contract with us
- apply to any organisation you’ve subcontracted to fulfil part or all of the services we have contracted your organisation to deliver.
What is an information or data incident?
An information and data incident is any failure that has caused or has the potential to cause unauthorised access, use, disclosure, destruction, loss and/or alteration of data held by your organisation. It applies to data and records held in your ICT systems as well as records held in physical files.
Our interest is in incidents that involve the personal and health information about clients and their families, along with related program data, held by your organisation for the services you’re contracted to provide for DCJ.
Information and data incidents could be the result of hacking of your ICT system or data theft, or the result of human or technical error, or misadventure.
Some examples of information and data incidents are:
- deliberate interference with, or unauthorised accessing of electronic or physical records
- loss of electronic and/or physical records as a result of a fire or flood
- theft or loss of mobile storage devices, such as a USB or laptop
- an email involving client information sent to the wrong person
- unauthorised staff accidentally or deliberately accessing restricted documents
- someone from your organisation improperly sharing, or providing access to, sensitive information with a third party.
If a data breach is likely to result in serious harm, it is classified as an eligible data breach under the Mandatory Notification of Data Breach (MNDB) Scheme. Serious harm includes physical, financial, material, emotional or psychological harm.
It is important that you report any incident that involves data relating to the services you’re contracted to provide for DCJ. We will work with you to assess the impact on clients and determine if the incident is an eligible data breach.
Your responsibilities when you detect an actual or suspected information security incident
Overview
As soon as you become aware of an information or data incident, your organisation must:
- notify us and other relevant state and Commonwealth agencies
- correct, contain or mitigate any loss of data
- manage any media response required
- inform and support any individuals or organisations directly affected
- seek support and guidance from DCJ, if required
- cooperate with any direction provided by DCJ
- implement remedial actions recommended by DCJ and any other state or Commonwealth agency you may have informed of the incident.
If a requirement stated in this policy conflicts with a provision specified in your contract with us, then the contract provision overrides that requirement.
Step 1. Notify DCJ of an actual or suspected information security incident
The nature of the incident and the potential impact on DCJ clients and systems determines who and when to contact DCJ.
For malicious cyber-attacks on your ICT systems involving personal client information
If your organisation identifies a cyber-attack is in progress, or has occurred in your ICT systems:
- immediately notify DCJ by completing the online notification form. This point of contact is monitored 24/7 and will be assessed by the DCJ Cyber Security team. Provide an initial report to DCJ within 48 hours of reporting the incident.
- Once you have completed the form, you need to contact the following people:
- During business hours: If you suspect the security incident involves data related to DCJ service delivery, please contact your DCJ Contract Manager.
- Outside business hours: If the incident occurs after hours, and the data breach relates to client data, immediately contact the relevant district or central senior representative, as per table below.
A representative of the DCJ Cyber Security team will contact your organisation and work with you to ascertain details of the incident. If necessary, you can request ICT guidance from DCJ.
DCJ will coordinate the incident and help determine if it is an eligible data breach. Your lead DCJ contract manager or a nominated DCJ coordinator will be the liaison between your organisation and our internal stakeholders.
District or central representative for AFTER HOURS ONLY
NGOs operating within the following district | Name and Position | After Hours Contact Number |
|---|---|---|
Hunter and Central Coast | Susan Mullard Director Commissioning and Planning | 0400 338 189 |
Illawarra Shoalhaven and Southern NSW | Christine Witherdin Director Commissioning and Planning | 0437 595 791 |
Mid North Coast, Northern NSW and New England | Fiona Napper Director Commissioning and Planning | 0427 070 072 |
Murrumbidgee Far West and Western NSW | Brad Wotton A/Director Operations | 0402 000 646 |
South Western Sydney | Brenna Callinan A/Director Commissioning and Planning | 0418 456 278 |
Sydney, South Eastern Sydney and Northern Sydney | Eimear O'Farrell A/Director Commissioning and Planning | 0436 672 423 |
Western Sydney and Nepean Blue Mountains | Claudia Vianello Director Commissioning and Planning | 0458 273 891 |
Partnerships (for centrally managed contracts or where impacted services are state-wide) | Melinda Norton Executive Director Partnerships | 0419 626 320 |
For other incidents involving loss of client data or confidential program information
When your organisation detects any of these types of incidents, call and email your DCJ contract manager by the next business day. If your organisation holds multiple contracts with DCJ, notify your lead DCJ contract manager.
Other obligations
You may also have an obligation to notify the Information and Privacy Commission NSW (IPC), or the Office of the Australian Information Commission (OAIC), under relevant state and Commonwealth privacy laws. Justice Connect, Not-for-profit Law, provides resources to help you understand your obligations.
Step 2. Investigate the information or data incident and notify DCJ of early findings
Within 48 hours of notifying DCJ, you’re required to undertake an early investigation of the information security incident and notify your lead DCJ contract manager of the findings, in writing.
You can use the DCJ Information or data incident report to satisfy this requirement, or to help guide your organisation’s own version of the report.
Your report of the early investigation and its findings must include:
- a description of the incident and its potential consequences
- details of lost or potentially compromised client information/data
- actions you have taken or planned to manage or remedy the information lost or compromised
- any actions required to ensure any disruption to ongoing service delivery is minimised.
What happens after you notify us?
Your lead DCJ contract manager will inform DCJ internal stakeholders about the information or data incident, so that we can manage any issues and risks in consultation with your organisation’s stakeholders.
What you need to do, and the actions we take, will depend on the nature and seriousness of the incident, as well as any requirements specified in your contract with us. If you hold contracts across multiple DCJ programs, privacy and information security requirements may differ from contract to contract.
If the incident is serious and involves a cyber-attack or breach of your organisation’s ICT systems, we may have to temporarily restrict your organisation’s access to DCJ’s electronic systems.
In serious cases, DCJ may actively work with you to manage the incident. This is likely if the incident involves a cyber-attack or loss of client records due to theft, fire or flood. If other DCJ stakeholders need to contact you to obtain further information and/or to provide assistance to you, it will be done in consultation with your lead DCJ contract manager.
If client data is involved, your lead DCJ contract manager and their senior manager will work with your organisation to decide on the appropriate action to be taken. This may require further information about the personal and/or health information of clients that may have been affected.
If the incident is assessed as an eligible data breach under the MNDB Scheme, we’ll work with our DCJ information privacy team and liaise with you to inform the Privacy Commissioner and affected individuals. The Privacy Commissioner may recommend remedial actions.
Depending on the nature of the incident, we may ask you to undertake an information security assessment. If necessary, we’ll work with you to determine the most appropriate steps to take to ensure program data and client information are protected, including implementing remedial actions.
For serious incidents, we may document the remedial actions required in a formal improvement plan, which we’d work with you to develop. In less serious cases, we may agree to an informal plan of improvements to your information security, and monitor your progress at regular contract meetings.
Resources to assist you
These resources will assist you to understand NSW and Commonwealth privacy laws, your obligations and responsibilities as a DCJ contracted service provider, and tactics that may help protect your organisation.
DCJ resources for contracted service providers
Key Privacy Obligations for DCJ Contractors
This factsheet outlines privacy obligations for DCJ contractors including privacy considerations, how to safely handle information, data retention and right of access.
Information security is everyone's responsibility
This resource outlines your responsibilities as a DCJ contracted service provider, along with a number of practical things you can do to achieve and maintain a strong information security culture across your organisation.
You can also download and print our top 10 take-aways for information security.
Secure File Transfer – Interim Guidance for Service Providers
This guidance outlines key privacy principles, how to safely share files, naming protocols and what to do in the event of a data breach/incident.
External tools
Tool | Source | Usage |
|---|---|---|
Justice Connect, Not-for-profit Law | This is a guide for not-for-profit organisations that want to understand more about their obligations under privacy laws in Australia. | |
Office of the Australian Information Commissioner | This guide assists organisations and agencies to prepare for, and respond to data breaches, in line with their obligations under the Commonwealth Privacy Act 1988. | |
Infoxchange | Practical guides and resources specifically for not-for-profits on information technology, systems and security to support providers to build their digital capabilities. | |
Australian Cyber Security Centre | This guide has been developed to help small business protect themselves from the most common cyber security incidents. | |
| First Nations Business Resources | Australian Cyber Security Centre | These resources assist First Nations businesses with tips and information to keep safe and secure online. |
Resources to assist your organisation comply with privacy laws | Justice Connect, Not-for-profit Law | Resources designed to assist not-for-profit organisations that have contractual arrangements with government to comply with privacy laws at both the NSW and national level, including notifiable data breaches and cyber security. |
Information and Privacy Commission NSW | Information for organisations and agencies on what a data security breach is, its potential impact on an organisation and its clients, and how to manage a breach in NSW. |
Legislation and regulations
Frequently asked questions
This page provides answers to the questions received from service providers following the launch of DCJ's information security policy on 15 February 2021.
- Who does this information security policy apply to?
- Is it necessary for my organisation to notify DCJ of all data security breaches?
- The policy requires my organisation to provide a report to DCJ on the early investigation and findings of an incident, within 48 hours. What if all information required in the report is not available within the timeframe?
- When should my organisation report an information security incident to the Information and Privacy Commissioner (IPC)? And if the IPC provides advice, how does this work with DCJ’s requirements?
- What if we are unable to provide all the information required in the online notification form? Should we still submit the form?
- Does DCJ require evidence of an IT security risk assessment if our organisation receives and retains DCJ data on our databases?
1. Who does this information security policy apply to?
The policy covers all DCJ contracted programs. This includes programs in youth justice, community corrections, child & family, housing, homelessness, disability and community inclusion.
For other programs outside this remit, such as Legal Aid NSW contracted programs, a provider may wish to use the policy as a good practice, however, it is not a contract requirement.
2. Is it necessary for my organisation to notify DCJ of all data security breaches?
DCJ’s interest is in any incidents that involves personal information about clients and their families, along with related program data, held by your organisation for the services you are contracted to deliver on our behalf.
It is important that your organisation does not delay in providing advice of an information security breach that involves client or program information and that this advice is made as soon as it is detected. This allows DCJ to assess the impact on systems and client information, and to provide support to you or identify where action needs to be taken by DCJ.
For incidents not related to DCJ contracted programs and clients – those incidents are a matter for the provider and are not of an interest to DCJ.
3. The policy requires my organisation to provide a report to DCJ on the early investigation and findings of an incident, within 48 hours. What if all information required in the report is not available within the timeframe?
Our policy requires organisations to complete an online notification form as soon as you are aware of an incident.
Subsequently we ask that you complete a preliminary Information security incident report with 48 hours. The purpose of the report is to gather relevant information about the incident to assist DCJ to understand any impact and if any action needs to be taken.
Provider’s may use their own report template, as long it provides similar information to assist DCJ understand the impact of the incident. We appreciate that the full impact of incidents may take weeks or months to emerge and that this will influence an organisation’s ability to report full details. Nevertheless, an early report with as much detail as possible will help us both to respond quickly and adequately.
Our intention is that relevant DCJ staff (usually your contract manager and our information security staff) will continue to work with you to support your ongoing response and actions to mitigate or minimise risks.
4. When should my organisation report an information security incident to the Information and Privacy Commissioner (IPC)? And if the IPC provides advice, how does this work with DCJ’s requirements?
You may have an obligation to notify the NSW Information and Privacy Commissioner about the breach. You can consult the resources developed by Justice Connect to help you understand your obligations.
DCJ will liaise with you on any appropriate action to be taken that is required by the Information and Privacy Commissioner. As a Government agency, we may also have an obligation to report on the impact of the incident to the Information and Privacy Commissioner as part of DCJ requirements. This action would be taken in conjunction with the organisation and based on advice by our Privacy/Legal team.
If the Information and Privacy Commissioner requires specific action to be taken by DCJ and / or your organisation we will work with you, for example to notify affected individuals. We’ll also continue to work with you to rectify the situation, protect client data and meet your contractual and legal obligations to protect client information and privacy.
DCJ may discuss with you if any necessary action is required to address obligations as part of your contract. We will work with you to ensure these align and do not conflict with advice provided by the Information and Privacy Commissioner. Whatever the circumstance, DCJ will be there to support your organisation.
5. What if we are unable to provide all the information required in the online notification form? Should we still submit the form?
Yes.
An early alert to DCJ through the on-line notification form is important to assist us understand if there is a possible impact on our systems. We still need you to alert us as soon as possible.
We recognise that it will take time to investigate the incident, so the best advice is to keep in touch with your DCJ contract manager. When completing the form if the information is not available immediately please provide as much detail as it becomes is available.
6. Does DCJ require evidence of an IT security risk assessment if our organisation receives and retains DCJ data on our databases?
No.
This is because all human service contracts have privacy and information security obligations, either specifically or as a general obligation to comply with relevant laws to ensure protection and confidentiality of information. Your organisation is responsible to manage these obligations and any potential breaches.
In consultation with your organisation, DCJ may suggest areas of improvement or require changes if warranted.