Skip to Content

Maintaining secure information and notifying us of information security incidents

The obligations and requirements for service providers to maintain secure information, and notify us when an actual or suspected information security incident is detected. This policy applies to all electronic and physical data storage.

Your responsibilities when you detect an actual or suspected information security incident

Overview

As soon as you become aware of an information security incident, we expect your organisation to:

  • notify us and other relevant state and Commonwealth agencies
  • correct, contain or mitigate any loss of data
  • manage any media response required
  • inform and support any individuals or organisations directly affected
  • seek support and guidance from DCJ, if required
  • cooperate with any direction provided by DCJ
  • implement remedial actions recommended by DCJ and any other state or Commonwealth agency you may have informed of the incident.

If a requirement stated in this policy conflicts with a provision specified in your contract with us, then the contract provision overrides that requirement.

Step 1. Notify DCJ of an actual or suspected information security incident

The nature of the incident and the potential impact on DCJ clients and systems determines who and when to contact DCJ.

For malicious cyber-attacks on your ICT systems involving personal client information

If your organisation identifies a cyber-attack is in progress, or has occurred in your ICT systems:

  • immediately notify DCJ by completing the online notification form. This point of contact is monitored 24/7 by the DCJ Information Security team and information submitted via this form will be assessed by the DCJ Information Security team.
  • Once you have completed the form, you need to contact the following people:
    • During business hours: If you suspect the security incident involves data related to DCJ service delivery, please contact your DCJ Contract Manager.
    • Outside business hours: If the incident occurs outside core business hours, and the data breach relates to client data, immediately contact the relevant Director Commissioning and Planning or the Executive Director Partnerships as per table below.

A representative of the DCJ Information Security team will contact your organisation and work with you to ascertain details of the incident. If necessary, you can request ICT guidance from DCJ.

DCJ will coordinate these incidents.  Your lead DCJ contract manager or a nominated DCJ coordinator will be the liaison between your organisation and our internal stakeholders.

For Information Security Data Breach incidents that occur AFTER HOURS ONLY please contact your district or central representative listed.

NGOs operating within the following district

Name and Position

After Hours Contact Number

Hunter and Central Coast

Susan Mullard

Director Commissioning and Planning

0400 338 189

Illawarra Shoalhaven and Southern NSW

Kathryn Stonestreet

A/Director Commissioning and Planning

0437 949 636

Mid North Coast, Northern NSW and New England

Fiona Napper

Director Commissioning and Planning

0427 070 072

Murrumbidgee Far West and Western NSW

Wendy Crockett

Director Operations

0400 307 894

South Western Sydney

Daniel Barakate

Director Commissioning and Planning

0418 112 144

Sydney, South Eastern Sydney and Northern Sydney

Penny Church

Director Commissioning and Planning

0401 144 434

Western Sydney and Nepean Blue Mountains

Claudia Vianello

Director Commissioning and Planning

0458 273 891

Partnerships (for centrally managed contracts or where impacted services are state-wide)

Eleri Morgan-Thomas

Executive Director Partnerships

0447 691 087

For other incidents involving loss of client data or confidential program information

When your organisation detects any of these types of incident, call and email your DCJ contract manager by the next business day. If your organisation holds multiple contracts with DCJ, notify your lead DCJ contract manager.

Other obligations

You may also have an obligation to notify the Information and Privacy Commission NSW (IPC), or the Office of the Australian Information Commission (OAIC), under relevant state and Commonwealth privacy laws. Justice Connect, Not-for-profit Law, provides resources to help you understand your obligations.

Step 2. Investigate the information security incident and notify DCJ of early findings

Within 48 hours of notifying DCJ, you’re required to undertake an early investigation of the information security incident and notify your lead DCJ contract manager of the findings, in writing.

You can use the DCJ Information security incident report to satisfy this requirement, or to help guide your organisation’s own version of the report.

Your report of the early investigation and its findings must include:

  • a description of the incident and its potential consequences
  • details of lost or potentially compromised client information/data
  • actions you have taken or planned to manage or remedy the information lost or compromised
  • any actions required to ensure any disruption to ongoing service delivery is minimised.

What happens after you notify us?

Your lead DCJ contract manager will inform DCJ internal stakeholders about the information security incident, so that we can manage any issues and risks in consultation with your organisation’s stakeholders.

What you need to do, and the actions we take, will depend on the nature and seriousness of the incident, as well as any requirements specified in your contract with us. If you hold contracts across multiple DCJ programs, privacy and information security requirements may differ from contract to contract.

If the incident is serious and involves a cyber-attack or breach of your organisation’s ICT systems, we may have to temporarily restrict your organisation’s access to DCJ’s electronic systems.

In serious cases, DCJ may actively work with you to manage the incident. This is likely if the incident involves a cyber-attack or loss of client records due to theft, fire or flood. If other DCJ stakeholders need to contact you to obtain further information and/or to provide assistance to you, it will be done in consultation with your lead DCJ contract manager.

If client data is involved, your lead DCJ contract manager will work with your organisation to decide on the appropriate action to be taken to inform the clients affected, and inform you of what other responses we’ve commenced. Note that we’ll liaise with your organisation if we’re required to report any loss of client data to the IPC. The IPC may recommend remedial actions.

Depending on the nature of the incident, we may ask you to undertake an information security assessment. If necessary, we’ll work with you to determine the most appropriate steps to take to ensure program data and client information are protected, including implementing any recommendations from the IPC.

For serious incidents, we may document the remedial actions required in a formal improvement plan, which we’d work with you to develop. In less serious cases, we may agree to an informal plan of improvements to your information security, and monitor your progress at regular contract meetings.

Was this content useful?
Your rating will help us improve the website.
Last updated: 31 Aug 2021