Queensland Health Data Breach Guideline

The purpose of this Data Breach Guideline is to set out how Queensland Health (the Department of Health) will respond to data breaches in accordance with the Mandatory Notification of Data Breach Scheme under the Information Privacy Act 2009 (Qld).

Introduction

The purpose of this Data Breach Guideline (Guideline) is to set out how the Department of Health (‘the Department’) will respond to data breaches in accordance with the Mandatory Notification Data Breach (MNDB) Scheme under the Information Privacy Act 2009 (Qld) (IP Act).

While not all breaches will be eligible data breaches requiring notification under the MNDB Scheme, the Department takes all data breaches seriously and will identify, assess, and manage each data breach in accordance with this Guideline.

What legislation applies to us?

The IP Act applies to the Department and outlines the rules we must comply with in relation to personal information.  Under the IP Act, 'personal information' is information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion:

  1. whether the information or opinion is true or not, and
  2. whether the information or opinion is recorded in a material form or not.

These rules are found across the IP Act including in the Queensland Privacy Principles (QPPs) which tell us how the Department can collect, use, disclose, secure, and destroy personal information.

The IP Act also includes rules around how the Department must deal with data breaches, including those involving personal information that are assessed as being 'eligible data breaches' under the IP Act.

We also hold tax file numbers (TFNs) and in the event of a data breach, notification will be made in accordance with the Commonwealth’s Privacy Act 1988.

What is a data breach?

A ‘data breach' is defined in the IP Act and means either of the following in relation to information held by the Department:

  • unauthorised access to, or unauthorised disclosure of, personal or non-personal information, or
  • the loss of personal or non-personal information in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur.

A data breach may involve any personal or non-personal information we hold. However, this Guideline (and our obligations under the MNDB Scheme) focuses on how the Department will respond to data breaches involving personal information.

What is 'unauthorised access' or 'unauthorised disclosure' to information?

Access or disclosure to information will be unauthorised if it happens without proper permission, licence, or legitimate purpose (whether intentionally or unintentionally). Unauthorised access and disclosure may occur within the Department, between the Department and other Government agencies, or external to the Department. Access and disclosure are not mutually exclusive and can occur as a result of the same breach or as part of a chain of events.

What is loss of personal information?

Loss of personal information means where the Department loses possession or control of personal information.  Loss may occur because of a deliberate or accidental act or omission of the Department, or due to the deliberate action of a third party.

What are our obligations under the MNDB Scheme?

If we know or reasonably suspect that a data breach is an eligible data breach, then we must:

  • immediately (and continue to take all reasonable steps to):
    • contain the data breach
    • mitigate the harm caused by the data breach
  • if we are uncertain about whether the data breach is eligible, assess (within 30 days of becoming aware of the data breach) whether there are reasonable grounds to believe the data breach is an eligible data breach.

If we know, or reasonably believe, that a data breach is an eligible data breach then we must, as soon as practicable (unless certain limited exemptions apply), notify:

  • the Information Commissioner
  • any particular individuals.

If we become aware that an eligible data breach may affect another government agency, we must tell that agency.

What is an eligible data breach?

An eligible data breach under the IP Act means both of the following occurring in relation to information we hold:

  • there is a data breach involving personal information, and
  • the data breach is likely to result in serious harm to an individual to whom the personal information relates.

An eligible data breach may occur internally within the Department or involve the unauthorised access and/or disclosure of personal information by or to external parties, including threat actors or contractors.

For example, the following kinds of data breaches may constitute eligible data breaches:

  • a cyberattack, phishing, malware, or hacking incident into an agencies database allowing access by external parties
  • a contractor disclosing sensitive personal information to external parties
  • an online internal database or portal is accidentally made publicly available
  • unauthorised accesses by an Agency worker or individual to a restricted internal file containing sensitive personal information
  • a worker accidently losing or misplacing documents containing sensitive or personal information.

What is serious harm?

If there are reasonable grounds to believe that a data breach involving personal information has resulted in, or is likely to result in, ‘serious harm’ to one or more of the individuals to whom the information relates, the data breach is considered an ‘eligible data breach’.

Serious harm is defined in schedule 5 of the IP Act to include:

  • serious physical, psychological, emotional, or financial harm to the individual because of the access or disclosure, or
  • serious harm to the individual's reputation because of the access or disclosure.

The effect on an individual must be more than mere irritation, annoyance, or inconvenience.

Examples of harms include:

  • identity theft
  • financial loss
  • threats to personal safety
  • loss of business or employment opportunities
  • humiliation and embarrassment
  • damage to reputation or relationships
  • discrimination, bullying, or other forms of disadvantage or exclusion.

Section 47(2) of the IP Act prescribes factors to consider when assessing whether the likely harm is 'serious harm' as follows:

  • the kind of personal information accessed, disclosed or lost
  • the sensitivity of the personal information
  • whether the personal information is protected by security measures
  • if the personal information is protected by one or more security measures, the likelihood that any of those security measures could be overcome
  • the persons, or kinds of persons, who have obtained, or who could obtain, the personal information
  • the nature of the harm likely to result from the data breach, and
  • any other relevant matter.

Some other factors or issues that may be relevant in assessing serious harm include:

  • the circumstances of the individuals affected and their vulnerability or susceptibility to harm (that is, if any individuals are at heightened risk of harm or have decreased capacity to protect themselves from harm)
  • the circumstances in which the breach occurred, for example, a third party has obtained access to the personal information, and
  • actions we may have taken to reduce the risk of harm following the data breach.

Roles and responsibilities for managing data breaches

The chief executive (Director-General) is ultimately responsible for the Department's compliance with the IP Act, including the MNDB Scheme. The Privacy and Right to Information (PRTI) Unit manages our privacy function.

Agency workers have a responsibility to ensure personal information they handle in the performance of their duties is managed in accordance with the IP Act. Agency workers in the Department have a responsibility to identify, escalate, and investigate data breaches.

Agency workers should consult internal procedures for detailed guidance on how to respond to a data breach in accordance with this Guideline.

A high-level overview of relevant responsibilities within the Department is below.

Agency stakeholders

Responsibilities

Agency workers

  • Handle personal   information consistently with the IP Act and understand this Guideline
  • Identify and immediately report actual or suspected data breaches involving personal information to the PRTI Unit in accordance with this Guideline

Business area impacted by breach

  • Collaborate with PRTI Unit to take containment and mitigation action (immediately and on an ongoing   basis as needed)
  • Undertake additional internal escalation reporting as needed (e.g. eHealth Queensland, Legal Branch)
  • Provide information needed for assessment and internal reporting
  • Engage with any service providers (if needed)
  • Implement permanent prevention methods (if needed)

Privacy and Right to Information Unit

  • Collaborate with business area on containment and mitigation action
  • Undertake or recommend additional internal escalation/reporting as needed (e.g. Legal Branch, eHealth Queensland)
  • Assess the severity of all data breaches, including those involving personal information and the likelihood that a breach will result in serious harm to an individual to whom the information involved relates (eligible data breach)
  • Maintain the Department's register of eligible data breaches

Data Breach Response Team (if needed)

  • The team assembled by the Department to manage a serious actual or suspected data breach. The composition of the Team will change depending on the type of data breach.
  • The Team's responsibilities will include formalising data breach risk assessments, briefing requirements, containment and mitigation actions, investigations, resourcing, communications strategy, correspondence, preventative actions.

Director-General

  • Notify the Information Commissioner, affected persons and others where required. This includes publishing, monitoring and reviewing the currency of public notifications of data breaches published to the Department website under section 53(1)(c) of the IP Act.
  • Foster a privacy-conscious culture within the Department

How do we identify, contain, and assess data breaches?

How to respond to a data breach will be determined on a case-by-case basis, to account for the varied types of data breaches that may occur. However, the Department’s strategy for responding to data breaches will generally cover the following steps:

  • Step 1 - identify and escalate the data breach internally
  • Step 2 - contain and mitigate the data breach
  • Step 3 - assess the likelihood of serious harm from the data breach
  • Step 4 - notify individuals and/or agencies about the data breach, where required or otherwise warranted
  • Step 5 - implement preventative actions to minimise the likelihood of a similar data breach reoccurring.

Step 1: How do we identify and escalate data breaches?

When a data breach is identified that involves personal information (whether through a service provider, the public, or from within the Department), Agency workers are expected to report that data breach immediately to the PRTI Unit.  The PRTI Unit will undertake or recommend any additional escalations/reports.

Any report to the PRTI Unit will need to include details about the data breach, including the nature of the information subject to the breach such as personal information and the circumstances surrounding the data breach, to inform our containment/mitigation actions and our assessment.

Step 2: What do we do to contain and mitigate data breaches?

At this stage of a data breach, we are taking steps to limit the extent and duration of the data breach and make any effects from the data breach less harmful. We may take the following actions to contain and mitigate a data breach:

  • making efforts to recover the personal information
  • securing, restricting access to, or shutting down breached systems
  • suspending the activity that led to the data breach
  • revoking or changing access codes or passwords.

The business area impacted by the data breach will collaborate as needed with the PRTI Unit to take any containment and mitigation actions. We have an immediate and ongoing obligation to contain the data breach and mitigate any harm while we manage our assessment of, and response to, the data breach. The PRTI Unit will also be responsible for coordinating any internal advice and assistance, such as, for example, assistance from the Department's information technology services or cyber security unit in containing and mitigating the data breach.

To determine the appropriate containment or mitigation actions, we may consider the following questions.

  • What happened to cause the data breach, and can interim controls be implemented?
  • Do we need to work with any third parties or service providers to investigate and resolve the data breach?
  • Can the personal information be recovered?
  • Can the person who has received personal information incorrectly, be contacted?
  • Can the system which has been breached be shut down?

Step 3: How do we assess data breaches?

The PRTI Unit will assess the data breach to understand any consequences and next steps to be taken in dealing with the data breach. This will involve assessing whether the data breach involves personal information and whether it is an eligible data breach.

As part of this assessment, we may consider the following questions.

  • How serious is the data breach? What type of personal information is involved?
  • Who are the people or third parties potentially affected?
  • What was the cause?
  • Should we contact any other internal or external subject matter experts (e.g. technical investigators or auditors, Cyber Security or Legal Branch)?
  • What is the likelihood of serious harm to the affected individuals – is there an “eligible data breach” and, if so, should any notifications occur?
  • What steps should be taken by the Department to minimise or avoid any potential harm to individuals?

This assessment needs to be completed within 30 days of becoming aware of the data breach. If we cannot complete our assessment within 30 days, we can extend that timeframe as we reasonably require.

Step 4: When do we notify particular individuals and the Information Commissioner about data breaches?

If our assessment means that we know, or reasonably believe, that a data breach is an eligible data breach then we must, as soon as practicable, notify:

  • the Information Commissioner
  • particular individuals.

Please see the section below explaining how we handle notifications of eligible data breaches.

Step 5: How do we prevent future data breaches?

We endeavour to learn lessons from any data breaches so we can minimise the risk of similar incidents reoccurring. As part of future breach prevention, we may consider the following questions or take the following actions:

  • Can we provide training to our Agency workers?
  • What was the root cause of the data breach?
  • Can we update our existing internal processes?
  • Does our internal register of eligible data breaches show any reoccurring issues?
  • Can we permanently implement any of the interim containment or mitigation actions taken in response to the breach?

A post-incident review of the process used for the eligible data breach, after it has been handled, will be conducted with details of any recommendations.

How do we handle notifications of eligible data breaches?

Under the MNDB Scheme, the Director-General must, as soon as practicable after forming a reasonable belief that there has been an eligible data breach, and unless an exception applies:

  • notify the Information Commissioner about the eligible data breach
  • take reasonable steps to notify affected individuals and/or organisations about the eligible data breach.

Notification to individuals will be determined by a harm and risk assessment. If there is a foreseeable risk of harm, notification should occur unless the notification is likely to cause more harm than it would alleviate.

The method of notification is determined on a case-by-case basis. However, in such circumstances, we will generally notify:

  • the Information Commissioner using the form available from Reporting a privacy breach | OIC
  • particular individuals using correspondence (post or email), telephone scripts, or our website.

In addition, if we become aware the eligible data breach:

  • may affect another agency, we will give written notice to the other agency
  • involves TFNs, we will notify the Australian Information Commissioner
  • warrants additional notifications (on a voluntary or mandatory basis), we may notify other entities such as:
    • counterparties to contracts or memorandums of understanding
    • the Queensland Police Service
    • the Crime and Corruption Commission Queensland
    • the Queensland Government Insurance Fund.

What will we tell the Information Commissioner?

If it is necessary to notify the Information Commissioner, under the MNDB Scheme, we may notify them of the following information: depending on the nature of the breach, it will be necessary to provide the following information:

  • the agency (or agencies) affected by the data breach and how to contact the agency
  • the date the data breach occurred, how the data breach occurred, and a description of the type of eligible data breach (e.g. access, disclosure, loss)
  • the period of time for which access to or disclosure of the personal information was available or made
  • a description of the kinds of personal information impacted by the data breach
  • the steps we recommend individuals should take in response to the data breach
  • any other agencies on behalf of whom we are reporting the data breach
  • the steps the agency has taken to contain the breach and mitigate the harm cause to people by the data breach
  • the number of people impacted by the data breach (including the number of people at likely risk of serious harm)
  • the number of people who will be notified about the data breach and whether those people have been advised of their rights to make a privacy complaint to the agency.

What will we tell particular individuals?

If it is necessary to make a notification to particular individual/s under the MNDB Scheme we may notify them of the following information:

  • the name of agency (or agencies) affected by the data breach and how to contact the agency about the data breach
  • the date the data breach occurred, how the data breach occurred, and a description of the type of eligible data breach (e.g. access, disclosure, loss)
  • the period of time for which access to or disclosure of the personal information was available or made
  • a description of the kinds of personal information impacted by the data breach
  • the steps we recommend individuals should take in response to the data breach
  • any other agencies on behalf of whom we are reporting the data breach
  • the steps the agency has taken to contain the data breach and mitigate the harm cause to people by the data breach
  • how people can make a privacy complaint to the agency.

What will we tell other agencies?

If we determine written notice to another agency is required under the MNDB Scheme or otherwise warranted, we may generally tell the other agency the following information:

  • how to contact us about the data breach
  • the date the data breach occurred, how the data breach occurred, and a description of the type of eligible data breach (e.g. access, disclosure, loss)
  • a description of the kinds of personal information impacted by the data breach
  • the steps we are taking in relation to the data breach.

How do we record and store documents relating to data breaches?

The Department will:

  • keep records of the data breach, including the assessment about whether a data breach is an eligible data breach, consistent with our obligations to maintain public records in accordance with the Public Records Act 2023
  • maintain an internal register of any eligible data breaches, consistent with our obligation under s.72 of the IP Act.

We use secure systems to hold personal information and our public records, and we take all reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.

How have we prepared ourselves to respond to data breaches?

We take the following actions to prepare the Department for managing data breaches:

  • information asset audits
  • information sharing agreement reviews
  • ensuring the currency and accuracy of privacy collection notices
  • systems security reviews
  • entering into arrangements with third-party providers who collect or store personal information on behalf of the Department so those providers are aware of the MNDB Scheme and their obligations to report any data breaches to the Department
  • access controls and privileges
  • Information Security Management System
  • conducting privacy impact assessments
  • conducting reviews of data breaches to identify and implement key learnings
  • delivering annual privacy training for Agency Workers regarding the risks associated with data breaches and their responsibilities in identifying, responding, reporting and preventing such incidents.

To ensure that Agency workers are and remain aware of their obligations under the MNDB Scheme, the Department will:

  • prepare and notify Agency workers of our Data Breach Response Plan and publish it and any additional relevant awareness material on the Department’s intranet
  • promote the Guideline and our Data Breach Response Plan
  • provide training and raise awareness of privacy obligations generally.

We have implemented the following key processes to support expeditious management of data breaches:

  • privacy policy
  • data breach response plan (to be reviewed annually)
  • annual privacy training.

For information about how we handle personal information more broadly, please refer to the Queensland Health Privacy Policy.

Definitions

Term

Meaning

Affected individual

An “affected individual” under section 47(1)(ii) of the IP Act.

  • The access or disclosure is likely to result in   serious harm to an individual (an affected individual) to whom the   personal information relates

Agency worker

A person who carries out work in any capacity for an agency as defined in section 7 of the Work Health and Safety Act 2011 (Qld), including work as:

  1. an employee
  2. a contractor or subcontractor or an employee of a contractor or subcontractor
  3. an apprentice or trainee
  4. a student gaining work experience, or
  5. a volunteer.

Australian Information Commissioner

The Australian Information Commissioner.

Commonwealth Privacy Act

The Privacy Act 1988 (Cth)

Data breach

A data breach is defined in the IP Act to mean either of the following in relation to information held by an agency:

  1. unauthorised   access to, or unauthorised disclosure of, the information
  2. the loss of the   information in circumstances where unauthorised access to, or unauthorised disclosure   of the information is likely to occur.

Data Breach Guideline

This Guideline.

Data Breach Response Plan

A procedural document internal to the Department complementing this Data Breach Guideline.

Eligible data breach

An ‘eligible data breach’ will have occurred under section 47 of the IP Act where:

  1. there has been unauthorised access to, or unauthorised disclosure of personal information held by an agency, or
  2. loss of personal information held by an agency that is likely to result in unauthorised access to, or unauthorised disclosure of the personal information, and
  3. the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

Held or hold in relation to personal information

Personal information is held by the Department, or the Department holds personal information, if the personal information is contained in a document in the possession, or under the control, of the Department.

Information Commissioner

The Queensland Information Commissioner

IP Act

The Information Privacy Act 2009 (Qld)

Personal information

Information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion:

  1. whether the   information or opinion is true or not, and
  2. whether the   information or opinion is recorded in a material form or not.

Privacy breach

A privacy breach in the Department occurs when there is a failure to comply with one or more of the Queensland Privacy Principles set out in the Information Privacy Act 2009 (Qld) (IP Act). A privacy breach most commonly, but not exclusively, results in unauthorised access to, or the unauthorised collection, use, or disclosure of, personal information.

TFN

A tax file number (TFN) is a unique identifier issued by the Commissioner of Taxation to individuals and entities for tax administration purposes.

Last updated: 3 July 2025