Data breach policy

1. Purpose

The Department of Customer Services, Open Data and Small and Family Business (CDSB) is subject to Queensland's Information Privacy Act 2009 (IP Act) and its Queensland Privacy Principles (QPPs), which set out how we must handle personal information.

At times, and in relation to certain types of information, we may also have privacy obligations under the Commonwealth Privacy Act 1988 and its Australian Privacy Principles (APPs).

We are committed to protecting individuals' privacy, and we value the open, transparent and responsible handling of personal information. This policy outlines how we will manage data breaches in accordance with the IP Act and (where applicable) the Privacy Act 1988.

2. Scope

This policy applies to:

Data breaches involving personal information held by us, including eligible data breaches. The definitions of 'data breach' and 'eligible data breach' are set out under Definitions at the end of this policy.
All employees working for us, regardless of whether they are permanent, fixed-term temporary, full-time, part-time or casual employees, on a fixed term contract and/or on secondment from another department or participating in a mobility arrangement. It also applies to other persons who perform work for us, including contractors, students gaining work experience and volunteers. For the purposes of this policy, the term contractor includes on-hired temporary labour services (agency staff).
All personal information collected by us, and all personal information in our possession or under our control.

3. Policy statement

3.1 Data breach management process

The privacy breach management process includes 6 main steps, detailed as follows.

Step	Description of actions	Role
Preparation	CDSB has developed processes to support the data management process if required, including: Privacy training and awareness Information security and incident management policies and procedures Data breach register Preparation includes learning from previous incidents when following this process.	All CDSB staff
Identify the breach	A potential data breach should be reported to a manager, and if required, the IT Service Desk. Staff should err on the side of caution if they are unsure if a breach has occurred.	All CDSB staff IT Service Desk
Contain the breach	Depending on the nature of the data breach, the relevant lead will take all reasonable steps to contain or prevent further damage from the breach. The objective is to lessen the likelihood of harm and to act as soon as practical.	Information or incident Manager
Evaluate the risks	Evaluate the kinds of personal information involved, the sensitivity of the information, the likelihood that any protective measures will be overcome, and the nature and seriousness of any harms likely to result from the data breach (harm assessment). Use the assessment tools available.	Information or incident Manager
Evaluate the risks	Approval of the harm assessment. (If harm is assessed as serious and likely, the breach is an eligible data breach)	DDG Corporate Services
Notify (Eligible data breaches)	Make notifications to the Information Commissioner and affected individuals, including any relevant exemptions (notification assessment).	Legal Services DDG Corporate Services
Post-incident processes	Post-incident review, including: root cause analysis evidence examination handling of the incident. Findings should be captured, and shared with governance and assurance teams, with recommendations about improvements to the Data breach management process, if any.	Information or incident Manager Legal Services

The specific actions to be undertaken in each of these steps will be determined in accordance with the CDSB Security Incident Response Plan.

3.2 Data breach register

The department will keep and maintain a register of eligible data breaches in accordance with section 72 of the Information Privacy Act 2009 (Qld).

3.3 Privacy complaints

If you become aware of a data breach involving personal information that we hold about you, and if you believe that we've failed to handle your personal information appropriately, you can make a privacy complaint.

Our Privacy policy provides information on how to make a privacy complaint to us.

4. Reporting requirements

We are obliged to notify the Information Commissioner of eligible data breaches in accordance with Chapter 3A of the IP Act and (where applicable) Part IIIC of the Privacy Act 1988 (Cth).

5. Approval

Approved by: Deputy Director-General, Corporate Services
Date: 1 July 2025

Contacts and References

Contacts

Manager, Right to Information and Privacy
Business Area: Legal Services
Division: Corporate Services
Telephone: (07) 3008 2903
Email: CDSBRTIandPrivacy@cdsb.qld.gov.au

References

The requirements set out in this document are based on, and are consistent with, relevant government legislation, regulations, directives, information standards and/or policies at the time of publication.

Legislation and regulations

Information Privacy Act 2009 (Qld)
Privacy Act 1988 (Cth)

Department documents

Definitions

Term	Definition
Affected Individual	An individual whose personal information has been part of a data breach of the agency.
Data breach	In relation to personal information held by us, where either of the following has occurred: unauthorised access to, or unauthorised disclosure of, the information the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur.
Disclosure	We disclose personal information whenever we: Give personal information to someone outside of CDSB who doesn't already know the information and isn't in a position to be able to find it out and We cease to have control over who will know the information in the future.
Eligible data breach	A data breach that is likely to cause serious harm to an individual whose personal information is involved in the breach.
Held or hold (in relation to personal information)	We hold personal information – or personal information is held by us – if the personal information is contained in a document in our possession or under our control.
Information asset	An identifiable collection of data stored in any manner and recognised as having value for the purpose of enabling an agency to perform its business functions thereby satisfying a recognised agency requirement.
Personal information	Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion– whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not. (Section 12 of the IP Act)
Serious harm	Serious harm means: serious physical, psychological, emotional, or financial harm to an individual because of the access or disclosure or serious harm to an individual's reputation because of the access or disclosure. (Schedule 5 of the IP Act)
Staff	All: employees working for CDSB, regardless of whether they are permanent, fixed-term temporary, full-time, part-time, casual, on a fixed term contract and/or on secondment from another department or participating in a mobility arrangement other persons who perform work for CDSB, including contractors, students gaining work experience and volunteers. For the purposes of this policy, the term 'contractor' includes on-hired temporary labour services (agency staff).
Unauthorised access	Access to information held by CDSB by someone who is not authorised to do so.
Unauthorised disclosure	Intentional or unintentional disclosure, without permission or authorisation, of personal information held by CDSB.

Human Rights

Decision makers must act and make decisions in a way that is compatible with human rights. They must consider human rights in any decision, as required by section 58 of the Human Rights Act 2019 (Qld). Refer to the Human rights section on the For government employees website.

Version control

Version 1.0 : 1 July 2025

Last updated:: 2 July 2025

Our policies