We acknowledge the Gadigal of the Eora Nation, the traditional custodians of the Country on which the Art Gallery of New South Wales stands.

Data breach policy

1. Introduction

The Art Gallery of New South Wales (the Art Gallery) takes security of personal information held within its systems seriously and employs a range of business practices and security measures to protect personal information it holds. Where personal information is held by service providers of the Art Gallery who perform business functions for us, the Art Gallery requires that these service providers meet or exceed industry standards with respect to the handling of personal information.

While the Art Gallery takes all reasonable measures to protect personal information in its possession, external threat actors are constantly challenging business systems to gain unauthorised access to personal data, such that despite the Art Gallery’s best efforts, data breaches may still occur.

This policy describes the Art Gallery’s approach to managing data breaches generally and more specifically in relation to ‘eligible data breach’ events against personal information held (Section 59C, PPIP Act) by the Art Gallery. This policy has been prepared to comply with section 59ZD of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) and the requirements of Part 6A of the PPIP Act, which establishes the NSW Mandatory Notification of Data Breach (MNDB) scheme. The MNDB scheme commenced on 28 November 2023.

The MNDB Scheme applies to breaches of ‘personal information’ as defined in section 4 of the PPIP Act, meaning information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. The scheme requires that NSW public sector agencies notify affected individuals and the NSW Information Privacy Commissioner (IPC) where there has been an ‘eligible data breach’.

The scheme also applies to ‘health information,’ defined in section 6 of the Health Records and Information Privacy Act 2002 (HRIP Act), covering personal information about an individual’s physical or mental health, disability, and information connected to the provision of a health service.

The MNDB scheme does not apply to data breaches that do not involve personal information or health information, or to breaches that are not likely to result in serious harm to an individual. Where the scheme does not apply, the Art Gallery is not required to notify individuals or the IPC but will still take action to respond to the breach on a voluntary basis where appropriate.

2. Who this policy applies to

This policy applies to all Art Gallery permanent full time, part time, casual/temporary employees and volunteers – being any staff authorised to access Art Gallery information systems and assets. It also applies to consultants and persons or organisations authorised by the Art Gallery to administer, develop, manage and support Art Gallery information systems and assets. The obligations required under this policy are to be set out in any contracts, arrangements or understandings with third party suppliers, vendors, contractors and hosted managed service providers.

All Art Gallery staff have a responsibility to notify the Head of Information Communication Technology or the COO of any suspected or actual data breach immediately on becoming aware of the potential or real data breach and provide information about the data breach in accordance with the procedures set out in section 5 onwards. The Data Breach Response Team (section 6) will make the assessment and follow up compliance with the MNDB scheme if applicable.

To ensure Art Gallery staff are, and remain, aware of their obligations under the MNDB scheme, the Art Gallery will:

  • prepare and notify staff of the Data Breach Reporting and Response procedure in section 6 and publish it and any additional relevant awareness material in a prominent place on the Art Gallery intranet;

  • provide training on this policy and our Data Breach Reporting and Response procedure to raise awareness and appreciation of these privacy obligations generally;

  • provide refresher and on-the-job training as required;

  • highlight and promote the policy and our Data Breach Reporting and Response procedure; and

  • provide privacy briefing and awareness sessions in appropriate senior leadership forums.

3. References

  • Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act)

  • Health Records and Information Privacy Act 2002 (HRIP Act),

  • Art Gallery Privacy Management Plan (update underway)

  • Art Gallery Privacy Statement

  • Art Gallery Public Notification Register

4. What is a data breach and an ‘eligible data breach’?

4.1. What is a data breach?

A data breach occurs when there has been unauthorised access to, unauthorised disclosure of or loss of personal information (including health information) held by (or on behalf of) the Art Gallery or any accidental or unlawful destruction or alteration of personal information held by (or on behalf of) the Art Gallery.

A data breach may occur as the result of a malicious action, systems failure or human error. A data breach may occur also because of misconception as to whether a particular act or practice is permitted under PPIP Act. However, not all data breaches are ‘eligible data breaches’ (see section 4.2).

Examples of data breaches include:

Malicious or criminal attack

  • Cyber incidents such as ransomware, malware, hacking, phishing or brute force access attempts resulting in access to or theft of personal information.

  • Social engineering or impersonation leading to inappropriate disclosure of personal information. Insider threats from agency employees using their valid credentials to access or disclose personal information outside the scope of their duties or permissions.

  • Theft of a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information.

System fault

  • Where a coding error allows access to a system without authentication, or results in automatically generated notices including the wrong information or being sent to incorrect recipients.

  • Where systems are not maintained through the application of known and supported patches.

Human error

  • When a letter, email or file containing personal information is sent to the wrong recipient.

  • When system access is incorrectly granted to someone without appropriate authorisation. When a physical asset such as a paper record, laptop, USB stick or mobile phone containing personal information is lost or misplaced.

  • When staff fail to implement appropriate password security, for example not securing passwords or sharing password and login information.

4.2. What is an eligible data breach?

An ‘eligible data breach’ under the MNDB Scheme is determined using the following tests that must both be satisfied:

  1. There is an unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency or there is a loss of personal information held by a public sector agency in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information, and;

  2. A reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates.

‘Serious harm’ is not defined under the PPIP Act. In its guidance, the NSW Information Privacy Commissioner (the IPC) says ‘harm to an individual includes physical harm; economic, financial or material harm; emotional or psychological harm; reputational harm; and other forms of serious harm that a reasonable person in the agency’s position would identify as a possible outcome of the data breach’. The IPC goes on to say that ‘serious harm occurs where the harm arising from the eligible data breach has, or may, result in a real and substantial detrimental effect to the individual. The effect on the individual must be more than mere irritation, annoyance or inconvenience’. Examples of harms include identity theft, financial loss or blackmail, threats to personal safety, loss of business or employment opportunities, humiliation, stigma, embarrassment, damage to reputation or relationships, discrimination, bullying, marginalisation, or other forms of disadvantage or exclusion.

The PPIP Act refers to factors that the Art Gallery should consider when assessing any risk of serious harm resulting from a data breach. These include, but are not limited to, or relevant in each particular case:

  • type of personal information accessed, disclosed or lost, and whether a combination of types of personal information might lead to increased risk

  • level of sensitivity of the personal information accessed, disclosed or lost

  • amount of time the personal information was exposed or accessible, including prior to the discovery of the breach by the Art Gallery

  • circumstances of the individuals affected and their vulnerability or susceptibility to harm

  • circumstances in which the breach occurred

  • actions taken by the Art Gallery to reduce the risk of harm following the breach

‘Likely to result in serious harm’ means the risk of serious harm to an individual being more probable than not in the circumstances and will be assessed on the basis of whether an individual in those circumstances might suffer serious harm if their personal information was lost, or subject to unauthorised access or unauthorised disclosure.

5. Roles and responsibilities

All data breach incidents are assessed by an internal Data Breach Response Team (Response Team) in accordance with guidelines set by the IPC.

Membership and responsibilities of the Data Breach Response Team includes:

  • Chief Operating Officer (COO) – is ultimately responsible for the Art Gallery’s responses to a data breach and any required reporting to external bodies such as the NSW Information Privacy Commissioner. In leading the Art Gallery’s response, the COO will take advice from other members of the Response Team. The COO is also responsible for coordinating any investigation into the breach and amending any policies or procedures.

  • Head of Information Communication Technology (ICT) – responsible for assessment, containment and reporting back to the Response Team about the breach and steps to mitigate risk of harm to affected individuals, coordinating with Cyber Security NSW and other external parties regarding the Art Gallery response, investigating the breach, as well as implementing any measures to prevent future breaches of that nature. ICT will also update the internal data breach incident register and coordinate internally to ensure the public notification register is maintained and published in accordance with the PPIP Act.

  • General Counsel (Legal) – reviewing the Art Gallery’s obligations to external parties and affected individuals under PPIP Act and assessing the Art Gallery’s rights with respect to any third parties involved in the data breach, ensuring that contracts with third parties handling personal information comply with the MNDB Scheme, advising the Art Gallery with respect to actions taken and communications strategies, investigation into the breach and review of proposed amendments to policies and procedures.

  • Head of People and Culture – responsible for any communications to staff and volunteers regarding the data breach, recommending actions in relation to staff consistent with the Art Gallery’s Code of Conduct.

  • Communications Manager – responsible for drafting appropriate communications to affected individuals and staff (including contractors where applicable) that are compliant with PPIP and IPC NSW guidance.

Where the circumstances warrant it, the Response Team may also draw on expertise and advice from:

  • Head of Government Relations and Governance;

  • Head of Digital Engagement;

  • Art Gallery Society; and

  • such other staff as required,

on data breaches related to the Art Gallery’s website infrastructure or NSW Government managed infrastructure external to the Art Gallery’s managed environment.

6. Data breach reporting and response

6.1. When a data breach happens

When a data breach or suspected data breach occurs, the Art Gallery will:

Step: Containment

Data breach response:
Immediately make all reasonable efforts to contain the breach, which may include some or all of the following measures (and others as appropriate from time to time):

  • contacting targeted recipients of malicious emails and requesting them to delete the suspect email

  • removing information or data from systems

  • suspending accounts

  • patching systems

  • issuing alerts to Art Gallery staff about suspected breaches and measures they need to take regarding data security

Step: Investigation

Data breach response:
Investigate immediately to identify if a breach has occurred, collecting information about:

  • the time and date the breach/suspected breach occurred;

  • a description of the breach, how the breach occurred and the type of breach that occurred;

  • the personal information that was the subject of the breach and the amount of time the information was exposed for; and

  • any other relevant information.

Additional steps if assessed as an ‘eligible data breach’:
Response Team will undertake an assessment within 30 days of the data breach event to determine whether an eligible data breach has occurred (section 4.4)

Notifying the NSW Privacy Commissioner immediately on assessing that an eligible data breach has occurred (s59M, PPIP Act)

Step: Notification

Data breach response:
Issue a communication as soon as possible (aiming for within 24 hours of becoming aware of a breach or suspected breach) to affected individuals alerting them to:

  • the possibility of the data breach, what information is known at that point in time, providing the following information as much as is reasonably practicable:

    – the date the data breach occurred

    – a description of the data breach

    – how the data breach occurred

    – the type of data breach that occurred

    – the personal information included in the data breach

    – the amount of time the personal information was disclosed for

  • any actions taken or planned to ensure personal information is secure, or to control or mitigate the risk of harm done to affected individuals;

  • recommendations about the steps affected individuals should take in response to the data breach (such as changing their passwords);

  • intention to issue further communications as more details come to light;

  • information about complaints and review of agency conduct

  • contact details for the agency subject to the data breach or the nominated contact person in relation to the data breach

The Art Gallery will issue further communications to affected individuals as and when more details come to light, including what actions the Art Gallery is taking to prevent future breaches of this nature.

Additional steps if assessed as an ‘eligible data breach’:
Consider whether any exemptions to notification in section 6.2 apply.

If no exemptions apply, issue communications to affected individuals which include:

  • the Art Gallery’s assessment about serious risk of harm to them or others;

  • information about how to make a complaint or seek an internal review;

  • the name of any NSW Government agencies or third parties involved and their contact details

The Art Gallery will publish a public notification about the eligible data breach on its website in accordance with section 59P of the PPIP Act. If affected individuals are unable to be contacted, they will be able to access the public notice.

The Art Gallery will maintain an internal register for eligible data breaches (s59ZE, PPIP Act).

Step: Public register

Additional steps if assessed as an ‘eligible data breach’:
Published notifications will be made available in an eligible data breach register on the Art Gallery’s public website. Notifications will remain on the Art Gallery’s eligible data breach public notification register for at least 12 months.

6.2. Exemptions to notify affected individuals

The PPIP Act does not require the Art Gallery to notify individuals of an eligible data breach if an exemption applies (s59S to 59X, PPIP Act). However, the Art Gallery is still required to report the breach to the NSW Information Privacy Commissioner. The exemptions under the PPIP Act are described here:

  • Breaches involving multiple agencies – usually one of the agencies will take responsibility for notification to affected individuals. Where the Art Gallery is the responsibly agency, the Art Gallery will notify affected individuals.

  • Investigations and legal proceedings – the exemption applies where the Art Gallery reasonably believes that the notification would prejudice investigations that could lead to prosecution of an offence, proceedings before a court or tribunal or another matter prescribed by regulations.

  • Mitigation of harm – where the Art Gallery has taken steps to mitigate the harm done by the breach and the action is taken before the breach results in serious harm to the individual and because of the action taken a reasonable person would conclude that the breach would not be likely to result in serious harm to the individual.

  • Secrecy provisions – this exemption would operate where compliance by the Art Gallery with the notification requirements would be inconsistent with a secrecy provision in an Act or statutory rules that prohibits or regulates use or disclosure of information.

  • Serious risk of harm to health or safety – this exemption would apply where the Art Gallery reasonably believes that notification would create a serious risk of harm to an individual’s health or safety. Use of this exemption must be justified to the NSW Information Privacy Commissioner.

  • Cyber security – where the Art Gallery reasonably believes that notification would worsen the Art Gallery’s cyber security or lead to further data breaches. Use of this exemption can only be temporary while the risk is active and must be justified to the NSW Information Privacy Commissioner and reported against each month while the situation persists.

7. Other reporting obligations

The Art Gallery may be required, by other laws or administrative arrangements or by contract, to take specific steps in response to a data breach. These may include taking specific containment or remediation actions or notifying external stakeholders (in addition to the NSW IPC or OAIC) when a data breach occurs.

For example, a data breach at an NSW public sector agency that involves Tax File Numbers and is likely to result in serious harm would be reportable to both the Office of the Australian Information Commissioner (OAIC) under the Commonwealth NDB scheme, and the NSW IPC under the MNDB scheme.

Depending on the circumstances of the data breach and the categories of data involved, the Art Gallery may need to engage with any of the following (or others as appropriate):

  • NSW Police Force or other law enforcement

  • Australian Federal Police

  • The Australian Taxation Office

  • The Office of the Government Chief Information Security Officer

  • Any third-party organisations or agencies whose data may be affected

  • Financial services providers

  • IDCare

  • ID Support NSW

  • Professional associations, regulatory bodies or insurers

  • Foreign regulatory agencies.

  • Cyber Security NSW

  • The Australian Cyber Security Centre

  • NSW Department of Customer Service

  • Office of the Australian Information Commissioner (OAIC) where a data breach may involve tax file numbers or agencies under Federal jurisdiction

8. Further information and contacts

For further information about this policy, an eligible data breach on the public notification register or if you have any concerns, please contact:

Privacy Contact Officer
Art Gallery of New South Wales
Art Gallery Road, the Domain
Sydney NSW 2000
Email: artmail@ag.nsw.gov.au

For more information on privacy rights and obligations in New South Wales, please contact the NSW Privacy Commissioner at:

NSW Information and Privacy Commission
Level 17, 201 Elizabeth Street
Sydney NSW 2000
Phone: 1800 472 679
Web: www.ipc.nsw.gov.au
Email: ipcinfo@ipc.nsw.gov.au