This Data Breach Policy (Policy) sets out an overview of the Independent Liquor & Gaming Authority (the Authority, ILGA) procedures in relation to detecting, responding to, managing, notifying and reporting eligible data breaches in accordance with the Mandatory Notification of Data Breach Schedule (the MNDB Scheme) under Part 6A of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
This policy complies with section 59ZD of the PPIP Act. This Policy provides a framework for ILGA’s compliance with MNDB Scheme.
ILGA personnel should consult internal procedures for detailed guidance on how to respond to a data breach in accordance with this Policy.
The purpose of this Policy is to set out how ILGA will respond to data breaches involving personal information. While not all data breaches will be eligible data breaches, ILGA takes all data breaches seriously and will assess each data breach in accordance with this Policy.
This Policy applies to and must be adhered to and implemented by all personnel.
All personnel have a responsibility to notify the Director, Office of ILGA (OILGA) of any data breach immediately on becoming aware that a data breach has occurred and provide information about the data breach in accordance with procedures in our Data Breach Response Plan.
A data breach occurs when there has been unauthorised access to, unauthorised disclosure of or loss of personal information (including health information) held by (or on behalf of) ILGA or any accidental or unlawful destruction or alteration of personal information held by (or on behalf of) ILGA.
A data breach may occur as the result of a malicious action, systems failure or human error. A data breach may occur also because of misconception as to whether a particular act or practice is permitted under PPIP Act.
If there are reasonable grounds to believe that the data breach has resulted in, or is likely to result in, serious harm to one or more of the individuals to whom the information relates, the data breach is an ‘eligible data breach’.
Serious harm occurs where there is a substantial detrimental effect on an individual and can be physical, psychological, emotional, financial, or reputational harm. Examples of harms include identity theft, financial loss or blackmail, threats to personal safety, loss of business or employment opportunities, humiliation, stigma, embarrassment, damage to reputation or relationships, discrimination, bullying, marginalisation, or other forms of disadvantage or exclusion.
ILGA takes reasonable security safeguards against the loss, unauthorised access, use, modification and disclosure of personal information. ILGA has policies and processes for preventing and managing data breaches. The ILGA Data Breach Response Plan provides detailed guidance on how to respond to a data breach in accordance with this Policy.
ILGA will consider a number of factors in assessing a data breach including the NSW Privacy Commissioner’s statutory guidelines and will engage the following steps in response to all data breaches:
In accordance with section 59O of PPIP Act, the notification will include the following specific information, if reasonably practicable:
To ensure that ILGA personnel are and remain aware of their obligations under the MDNB Scheme, ILGA will:
For further information about this Policy, an eligible data breach on the public notification register or if you have any concerns, please contact ILGA:
Independent Liquor and Gaming Authority McKell Building 2-24 Rawson Place Sydney NSW 2000 Email: office@ilga.nsw.gov.au
For more information on privacy rights and obligations in New South Wales, please contact the NSW Privacy Commissioner at:
NSW Information and Privacy Commission Level 17, 201 Elizabeth Street Sydney NSW 2000 Phone: 1800 472 679 Web: www.ipc.nsw.gov.au Email: ipcinfo@ipc.nsw.gov.au