Assessing a data breach

Queensland government agencies¹ must handle personal information² in accordance with the Information Privacy Act 2009 (Qld) (IP Act). Chapter 3A of the IP Act creates a mandatory notification of data breach (MNDB) scheme, which requires agencies (other than local government³) to notify individuals and the Information Commissioner about eligible data breaches involving personal information held by the agency.

This guideline is intended to assist agencies in assessing whether a data breach is an eligible data breach and must be read in conjunction with Mandatory notification of data breach.

In addition to the MNDB guidelines,⁴ agencies may find these templates and quick guides helpful:

• MNDB Assessment Tool
• Quick guide to the MNDB scheme
• Data breach response plan template.

Data breach and eligible data breach

Chapter 3A of the IP Act applies to personal information held by an agency,⁵ unless the personal information is contained in a document to which the privacy principle requirements do not apply.

For chapter 3A, a data breach occurs if there is unauthorised access to, or unauthorised disclosure of, personal information, or personal information is lost in circumstances where there is likely to be unauthorised access to, or unauthorised disclosure of, the personal information.⁶

A data breach will be an eligible data breach if the actual or potential unauthorised access to, or disclosure of, personal information is likely to result in serious harm to the an individual to whom the personal information relates (an affected individual).

Unauthorised access, disclosure and loss

Unauthorised access

Unauthorised access to personal information occurs when information held by an agency is accessed by someone who is not authorised to do so. For example:

• Within an agency, if an employee browses agency records relating to a family member, a neighbour, or a celebrity without a legitimate purpose.
• Between agencies, if a team at one agency is provided with access to systems and data of a second agency as part of a joint project and a team member uses that access for reasons other than the project.
• Outside an agency, if information is compromised during a cyberattack and intentionally accessed by a person external to the agency.

Unauthorised disclosure

Unauthorised disclosure occurs when an agency intentionally or unintentionally discloses personal information without authority. For example:

• An agency software update, conducted by the agency or a third party service provider, results in the unintended publication of customer records containing personal information on the agency’s website.
• An agency intends to provide de-identified information to a researcher and occidentally sends the data with personal identifiers included.
• An agency discloses an individual’s personal information to a third party who is not the intended recipient, eg by emailing it to the wrong address.
• A database containing personal information hosted in a cloud environment or a web facing application lacks appropriate access controls, disclosing personal information to unauthorised individuals.

Unauthorised access and disclosure are not mutually exclusive and can occur as a result of the same breach or chain of events. For example, if an agency mistakenly discloses personal information via a webform on its internet site and a third party can view the information, this may be unauthorised disclosure and unauthorised access.

Loss

Loss of personal information involves an agency no longer having possession or control of the information. Loss may occur because of a deliberate or accidental act or omission of an agency, or due to the deliberate actions of a third party. For example:

• An agency sells or disposes of a physical asset, such as a laptop or filing cabinet, that contains an individual’s personal information.
• An agency employee accidentally leaves a device, such as a USB or external drive, containing personal information on public transport.
• A device containing personal information is stolen from an agency’s premises or an employee’s home.

Loss of personal information will only be a data breach if it is likely to result in unauthorised access to, or disclosure of, the information. If the personal information is inaccessible or the agency can confirm it was destroyed it is unlikely to be a data breach, for example:

• Agency documents containing personal information are destroyed in a natural disaster (eg a bushfire or flood event).
• A password protected laptop containing client files is left on public transport but is handed in and the agency is able to establish there was no access to the stored information.
• A USB containing personal information is lost, but security measures are in place, such as the data being encrypted or protected by a strong password.
• A tablet device containing a client’s records is stolen from an agency employee’s home, but it is only accessible via multifactor authentication.

Serious harm

Serious harm is defined in schedule 5 of the IP Act as including:

• serious physical, psychological, emotional, or financial harm to the individual because of the access or disclosure; or
• serious harm to the individual's reputation because of the access or disclosure.

This is not an exhaustive definition; and other kinds of harm can meet the serious threshold. Serious harm occurs where the harm arising from the data breach causes, or may cause, substantial detrimental effect to an individual. This requires more than mere irritation, annoyance, or inconvenience.

Serious harm is not limited to physical harm or a threat to physical safety; it can include, for example, emotional or reputational harm.

Likely to result

A data breach will be an eligible data breach if it will result or is likely to result in serious harm to some or all of the affected individuals. Serious harm is likely to result if the risk of serious harm is more than merely possible; it must be more probable than not to occur. It is an objective test to be determined on the facts of the specific breach, taking into account the section 47(2) matters.

Agencies do does not need to identify the specific individuals who may be harmed in order to determine that serious harm is likely to result for one or more individuals. A data breach affecting a large number of individuals may be an eligible data breach even if the personal information involved is not highly sensitive if the agency concludes that serious harm is likely to result for some of the individuals.

If doubt or ambiguity exists about whether a data breach is likely to result in serious harm, agencies should err on the side of caution and treat the data breach as an eligible data breach.

Reasonable belief or suspicion

Whether or not there are reasonable grounds to believe or suspect that a data breach is an eligible data breach will depend on the facts specific to each incident.

A reasonable belief that a data breach is an eligible data breach requires an objective view and a fair, proper, and moderate approach to ensure all known and relevant facts, circumstances, and considerations are identified and properly balanced.⁷ There will be reasonable grounds to believe that a data breach is an eligible breach if the available facts would be sufficient to persuade a reasonable person.⁸

A reasonable suspicion, however, does not require the same level of certainty and evidence as a reasonable belief, but the agency must still have some factual basis⁹ for deciding that there is a reasonable suspicion that a data breach is an eligible data breach. It must be more than a possibility.¹⁰

Assessment of suspected eligible data breaches

When an agency becomes aware of a data breach, it must assess it and objectively decide if the known circumstances support knowledge, reasonable belief, or reasonable suspicion that the data breach is an eligible data breach of the agency.

There are many different ways that an agency may become aware of a data breach. Depending on the circumstances, the agency may only have enough initial information to reasonably suspect they have experienced an eligible data breach.

If the agency only suspects that a data breach may be an eligible data breach, it will need to conduct further enquiries and examinations to determine whether it is an eligible data breach. An agency’s assessment and any decisions made should be recorded in writing and include the material facts of the specific breach.

This assessment must be completed within 30 days from the date the agency became aware of the data breach.

Agencies may find the Assessing a data breach flowchart helpful when undertaking their assessment.

Extension of time to assess a breach

If an agency is satisfied that it will not be able to complete the assessment in 30 days, it can extend that time under section 49. It can only be extended for the length of time reasonably required to complete the assessment.

Before the initial 30 day assessment period expires, the agency must:

• start the assessment; and
• give the Information Commissioner written notice that the agency has extended the time.

The notice to the Information Commissioner must state:

• that the assessment has started
• the period within which the assessment must be completed has been extended; and
• the day the extended period ends.

The Information Commissioner can ask the agency to provide information or progress updates about the assessment.

Data breaches involving other agencies

If all of the personal information involved in a data beach is also the subject of a data breach of one or more other agencies, and at least one of the other agencies has undertaken to conduct the assessment under section 48(2) and (3) of the IP Act in relation to the data breach, the other involved agencies do not need to conduct the assessment.

The requirement to contain and mitigate still applies.

How to conduct the assessment

The best way to assess a data breach will depend on the circumstances, however assessment should generally involve:

• gathering information about the breach
• analysing information with regard to the factors which influence the likelihood of serious harm; and
• making a decision on whether the gathered information and analysis supports knowledge, reasonable belief, or reasonable suspicion that the data breach is eligible.

Gathering information

Agencies will need to collect information relevant to the data breach, which may involve:

• determining the cause the breach
• identifying the types of personal information accessed, disclosed or lost
• investigating IT systems, eg by assessing audit logs or other records
• determining the extent of the breach; and
• contacting relevant stakeholders.

Analysis

Analysis requires reviewing the collected information to identify the context of the breach, including the type and amount of personal information and the number of individuals who may be affected. The analysis should also consider the potential impact on affected individuals, including:

• actual or potential harms to individuals whose personal information is involved in the breach
• the seriousness of that harm; and
• the likelihood that the harm will occur.

Agencies must take the matters listed in section 47(2) into account when determining whether a breach is likely to result in serious harm. The section 47(2) matters are:

• the kind of personal information accessed, disclosed or lost
• the sensitivity of the personal information
• whether the personal information is protected by one or more security measures
• if the personal information is protected by one or more security measures, the likelihood that any of those security measures could be overcome
• the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information
• the nature of the harm likely to result from the data breach; and
• any other relevant matter.

Other relevant matters include:

• the type of personal information accessed, disclosed or lost, and whether a combination of types of personal information might lead to increased risk
• the amount of time the information was exposed or accessible, including the amount of time information was exposed prior to the agency discovering the breach
• the circumstances of the individuals affected and their vulnerability or susceptibility to harm (that is, if any individuals are at heightened risk of harm or have decreased capacity to protect themselves from harm)
• the circumstances in which the breach occurred; and
• actions taken by the agency to reduce the risk of harm following the breach.

The types of personal information accessed, disclosed or lost

Regard must be had to the kind of personal information involved in the breach, because some kinds of personal information pose a higher risk of harm when compromised.

If a data breach involves identity credentials, documents such as passports, driver licences or Medicare cards, or financial information, eg credit card numbers or bank account details, agencies should be alert to a heightened risk of harm. This kind of information can be used to commit identity theft, fraud, or other financial crimes, so a data breach involving it is more likely to result in serious harm than a breach involving an email address or mobile phone number.

The sensitivity of the personal information

The IP Act contains specific rules for the collection, use and disclosure of sensitive information, such as racial or ethnic origin, political opinions or associations, religious beliefs or affiliations, and sexual orientation or practices. Data breaches involving these types of personal information may be more likely to result in serious harm.

Additionally, there are other types of personal information that do not meet the IP Act definition of sensitive information, but can still lead to more significant risk of harm, eg personal information related to a certain vulnerability which could result in an individual suffering prejudice if it was made public.

The level of risk will often depend on the circumstances. For example, historical health information related to treatment for a minor injury may not indicate a significant risk of harm, unless it is relevant to an individual’s employment and could negatively affect their career if misused.

Whether the personal information is protected by one or more security measures

Generally, robust encryption will decrease the risk of serious harm, but it can be further decreased by other measures, such as controls restricting access and the ability to remotely remove or wipe data.

When considering the effect of security measures on the risk of harm, agencies should take into account the strength and effectiveness of the measure and the potential ability of the person in possession of the information to circumvent it. For example, encrypted data accidentally disclosed to the wrong recipient will have a very different assessment of risk from a hacker gaining access to information protected by a weak security measure.

The likelihood that any security measures could be overcome

As discussed above, agencies need to be aware that not all security measures will remove or significantly decrease the risk of harm. Agencies will need to assess the perceived strength of any encryption and the anticipated abilities of any unauthorised recipient to negate or circumvent the security measures. For example, weak password protection will create a higher level of risk than protection by industry recognised security or encryption measures.

The persons, or kinds of persons, who have obtained, or who could obtain, the personal information

If an agency has information about the identity or motives of people who have, or may have had, access to the personal information, it will be able to make a more thorough assessment of the likelihood of serious harm. For instance, personal information obtained through a targeted cyber-attack is more likely to result in serious harm to an individual than a breach which involves the same type of information being incorrectly emailed to a trusted recipient, such as a law firm or another agency.

The existence of a relationship between the individual to whom the personal information relates and the recipient of the information may increase the risk of serious harm. For example:

• a breach involving medical information being disclosed to a family member or colleague, as it may cause distress or embarrassment; or
• disclosure of an individual’s address to the individual’s former partner where there has been a history of domestic or family violence.

For data breaches involving a cyber element, agencies should be alert to a higher risk of harm compared to breaches caused by human or system errors. The complexity of a cyber breach can be an indicator of the level of criminal intent behind the breach.

If personal information is posted online following a cyberbreach, it is dangerous to assume that the posted information is the only information which was accessed. Consideration should be given to all personal information held in the breached system.

The Office of the Australian Information Commissioner has noted that trusting any assurances given by a cyber threat actor, or relying on assumptions when facts regarding a person’s intent cannot be established, can result in agency’s inaccurately assigning a lower risk of harm.¹¹

The nature of the harm likely to result from the data breach

The types of harm that can occur as a result of a data breach will vary depending on the circumstances of the breach, including its cause, the personal information involved, and the individuals affected.

Financial loss

Financial loss can occur through identity theft or other fraud, eg loss of money or assets as a result of phishing or other scams. It can also result from the cost of responding to a data breach, eg reissue of identity documents, legal fees, or the cost of assistance with psychological or medical issues arising from the breach.

In cases involving physical or safety related harms, it could also include the cost of increasing personal security or relocating.

Identity theft

Identity theft can result in more than just financial loss, as the stress and time associated with restoring an individual to the state they were in before the breach can cause significant harms.

A stolen identity can also result in an inability to access online or other services, eg if the identify theft involves someone using individual’s login details take over the individual’s account. Identify theft can also result in:

• creation of fraudulent government documents
• gaining access to an individual’s banking and other financial accounts
• taking over social media profiles and accounts
• opening bank accounts in the victim’s name
• obtaining credit or loans in the victim’s name; and
• using the above examples to conduct additional criminal activity linked to the victim’s identity.

Emotional harm

Data breaches involving the publication of personal information can result in different kinds of emotional harm, particularly where it involves personal information the individual kept private or only shared with a trusted group of people. For example, information about students’ learning difficulties being released to members of a school community could result in distress and embarrassment to the involved students.

Disclosure of sensitive information, such as information relating to health or sexual orientation or practices, is more likely to result in serious emotional distress and embarrassment, which can have serious detrimental impacts on mental and physical wellbeing.

Reputational damage

Disclosure and misuse of personal information can result in individuals experiencing reputational damage, particularly if it causes embarrassment or is damaging to their career, social standing, or their professional or business reputation. For example, an employer misusing personal information disclosed in an data breach to deny an individual a job, resulting in missed employment or career development opportunities.

Physical and personal safety harms

Some data breaches may lead to risks of serious harm to an individual’s physical and personal safety. These harms could occur, for example, where the disclosure of personal information identifies an individual’s home or work address, and due to the individual’s occupation or association with certain people, makes them susceptible to the risk of physical harm or being the victim of offences, such as stalking or harassment.

Domestic and family violence related harms

Data breaches also have the potential to increase the risk of harms related to domestic and family violence. For example, a breach that involves the disclosure of a family violence victim’s new address to the perpetrator of the violence could result in serious harms by exposing them to further family violence.

Other relevant matters

As discussed above, the list of matters in section 47(2) is non-exhaustive and includes any other relevant matters. Examples of other potentially relevant matters are discussed below.

Combination of personal information

Agencies should be aware that combinations of personal information can create a higher risk of serious harm compared to the release of one piece of information. For example, a breach involving contact details may not result in a risk of serious harm, but if the breach also involved those individuals’ health information there could be a risk of serious harm through embarrassment, prejudice, or susceptibility to being targeted for scams.

The combination of personal information can also increase the risk of personal information being used for impersonation activity, eg by using a combination of name, date of birth and other information to circumvent identity or user verification processes, allowing unauthorised access to the individual’s user accounts.

The amount of time the information was exposed or accessible

The amount of time that has elapsed between the data breach and the agency discovering it may be relevant to the consideration of the likelihood of serious harm. If the breach involves personal information being publicly available, the likelihood of serious harm to an individual will generally increase the longer the information was available.

Circumstances and vulnerabilities of the affected individuals

Another factor which may be relevant to determining the likelihood of serious harm is whether the involved individuals have any specific vulnerabilities or personal issues that make them more susceptible to harm, and/or less able to take action to protect themselves. This could include age, physical or mental health, disability, literacy issues, homelessness, financial difficulties, or a higher susceptibility to being a target due to the individual’s profession.

While these types of considerations primarily arise in smaller breaches, where agencies will be in a position to specifically consider each individual, breaches involving larger numbers of people may require an agency to consider that some people in the affected group will be more susceptible than others.

The actual individuals impacted

Similar to consideration of an individual’s specific vulnerabilities, agencies should also consider whether a data breach is more likely to result in harm due to the actual individuals involved. For example, a breach involving an individual’s email address, the disclosure of which would generally not result in serious harm, may cause serious harm if it is disclosed to someone with a history of harassing the individual.

The scale or size of the breach

The size of the breach, or the amount of people involved, may impact the level of risk. For breaches involving large number of people and/or large amounts of personal information, it may be appropriate to consider that, due to the amount of individuals involved, it is highly likely at least one of them will be at risk of serious harm.

Whether the type of breach affects the sensitivity of the information

The circumstances of the breach may change the level of risk or sensitivity that would normally be associated with certain types of information. This could occur when an individual’s name is released in association with a particular group or association, or when an individual’s information is linked to treatment for a physical or mental health issue.

Harm reduction actions

Agencies are required to take action to reduce the risk of harm from data breaches involving personal information held by the agency. The effectiveness of these actions is a factor when assessing the likelihood of serious harm.

If an agency has been able to reduce or remove the risk of harm for some or all of the individuals involved before it occurs, this will be a key consideration. The data breach may still be an eligible data breach, but the pool of affected individuals may be smaller.

Interaction between factors

Agencies should consider the way relevant factors, including the section 47(2) matters, overlap and interact. It is possible that one factor alone may not result in a breach being assessed as likely to result in serious harm. However, when combined with other factors, particularly if certain factors increase the likelihood of risk for other factors, this interaction will be a key part of the overall consideration of risk.

How this will occur practically will depend on the circumstances. For example, an individual’s name and address being disclosed publicly may not, on its own present a high risk of harm, but if that individual has recently relocated to a new address to escape a violent family relationship, the combination and interaction of factors changes the assessment of risk. If that individual also has medical vulnerabilities and their circumstances mean they have a diminished capacity to take protective steps, the interaction between factors can dramatically alter the risk level.

Assessing cyber related breaches

Assessing data breaches caused by a cyber-attack will generally rely on agencies being able to gather and analyse digital forensic evidence. Where required, agencies should consider consulting with forensic experts for assistance in assessment. Agencies should also ensure that requirements to report breaches and incidents to the Queensland Cyber Security Unit are met as required by the Queensland Government Enterprise Architecture.[12]

If ICT systems do not allow for forensic examination, such as audit logging or retrospective analysis of internet gateway traffic, it may be difficult to confirm whether a breach has resulted in access to systems and removal of personal information.

A lack of evidence should not be the sole reason for deciding that access to ICT systems has not occurred. Where agencies face this type of situation, it is recommended that assessments are conducted with the presumption that unauthorised access to, and subsequent removal of, personal information has occurred. It is also recommended that, if possible, agencies consider improving their personal information security processes through investment in improving ICT systems, including enhanced incident response functionality.

Make a decision

After analysing the data breach as discussed above, the agency must decide whether an individual is likely to suffer serious harm as a result of the data breach, meaning that the breach is an eligible data breach of the agency.

If the agency is satisfied that its analysis supports a reasonable belief that there has been an eligible data breach of the agency, the obligation to notify the Information Commissioner and particular individuals applies, subject to the exemptions in the IP Act.

Refer to Notification under the mandatory notification of data breach scheme for more information.