PRIVACY/DATA BREACH POLICY & PROCESS

A privacy breach generally refers to the unauthorised access and retrieval of a your personal information and data that may include both corporate and individual information. Managing privacy breaches is important to comply with the Privacy and Data Protection Act 2014 (VIC), the CircleSource Privacy Policy and to protect your personal information, your organisation and employees when a privacy breach occurs.

The terms "We”“Us”“Our”, or “CircleSource” includes CircleSource Pty Ltd and our affiliates.

1.     How Privacy Breaches could occur

Privacy breaches can occur for a variety of reasons. Possible ways in which a privacy breach may occur could include;

  • Human error: Loss of laptop, phone, information storage devices or paper records containing member and/or personal information;

  • Sending personal information to a wrong e-mail or physical address, or disclosing information to a wrong recipient;

  • Unauthorised access or disclosure of personal information by CircleSource employees;

  • Improper disposal of personal information (e.g. hard disk, storage media or paper documents containing personal information sold or discarded before information is properly deleted);

  • Malicious activities: o Hacking incidents / illegal access to databases containing member personal information;

  • Theft of laptop, phone, data storage devices or paper records containing member personal information;

  • Scams that trick organisations into releasing member personal information;

  • Computer system error: Errors or bugs in the programming code of websites, databases and other software which may be exploited to gain access to personal information stored on computer systems.

2.     Privacy Breach Management Plan

It is the policy of CircleSource that in the event that a privacy breach happens, the following breach management plan is strictly adhered to. There are five steps to this Breach Management Plan:

I. Identification and classification

When a privacy breach occurs, this should be immediately reported by notifying the CircleSource Chief Technical and Operations Officer (CTOO) by email to ajackson@circlesource.com. The CTOO will send a copy of the report to the CircleSource CEO and our Technology Partner, SparkEleven at matt@sparkeleven.com.au

 

The report should include:

  • Details of the breach, such as date and time;

  • Who/what reported the breach;

  • Description of the breach;

  • Details of any ICT systems involved; Corroborating material such as error messages, log files, etc.

  • An account of immediate actions taken;

  • An account of the Breach Management steps (II – V) to be taken.

 

II. Containment and recovery

As part of the Privacy Breach Management steps to be taken, the following measures have to be considered immediately, where applicable:

  • Shut down the compromised system that led to the privacy breach;

  • Prevent further unauthorised access to the system;

  • Reset passwords if accounts and passwords have been compromised;

  • Establish whether steps can be taken to recover lost data and limit any damage caused by the breach (e.g. remotely disabling a lost laptop containing personal information of clients and/or individuals);

  • Isolate the causes of the privacy breach in the system, and where applicable, change the access rights to the compromised system and remove external connections to the system;

 

Notify the police if criminal activity is suspected and preserve evidence for investigation (e.g. hacking, theft or unauthorised system access by an employee);

  • Put a stop to practices that led to the privacy breach;

  • Address lapses in processes that led to the privacy breach.

 

III. Risk assessment

Knowing the risks and impact of the privacy breach will help to determine the consequences to affected members and organisations, as well as the steps necessary to notify the organisations and individuals affected.

 

For each privacy breach it has to be assessed:

  • How many people were affected? 

  • Whose personal information has been breached?

  • To whom does the personal information belong? (e.g. members, their employees, CircleSource employees, contractors, vendors or other third parties) ?

  • What types of personal information were involved?

  • Is there a risk to reputation, identity theft, safety and/or financial loss of affected organisations/individuals?

  • How sensitive is the information?

  • Do any additional measures have to be put in place to minimise the impact of the privacy breach?

  • What caused the privacy breach? 

  • When and how often did the breach occur? 

  • Who might gain access to the compromised personal information? 

  • Will compromised information affect transactions with any other third parties?

  • Who needs to be notified?

IV. Reporting of breach

Users and/or individuals affected by the data breach should be notified. 

Who to notify –

  • We will notify members and organisations whose personal information has been compromised;

  • We will notify other third parties such as banks, credit card companies or the police, where relevant;

When to Notify –

  • We notify affected individuals and organisations immediately if a privacy breach involves sensitive personal data. This allows them to take necessary actions early to avoid potential abuse of the compromised data;

We notify affected individuals and organisations when the privacy breach is resolved;

 

How to Notify –

  • We will reach out to affected members and organisations in the most efficient and effective way, taking into consideration the urgency of the situation and number of individuals affected (e.g. e-mails, telephone calls, letters);

  • Notifications will be simple to understand, specific and provide clear instructions on what individuals can do to protect themselves;

 

What to Notify –

  • How and when the privacy breach occurred, types of personal data involved in the breach;

  • What CircleSource has done or will be doing in response to the risks brought about by the data breach;

  • Specific facts on the privacy breach where applicable, and actions individuals can take to prevent that information from being misused or abused;

  • Contact details and how affected individuals can reach CircleSource for further information or assistance.

V. Evaluation of the response & recovery to prevent future breaches

After these steps have been taken to resolve the privacy breach, the cause of the breach has to be reviewed and it has to be evaluated whether existing protection and prevention measures are sufficient to prevent similar breaches from occurring.

 

We will assess whether:

  • Audits were regularly conducted on both physical and IT-related security measures;

  • There are processes that can be streamlined or introduced to limit the damage if future breaches happen or to prevent a relapse;

  • There were weaknesses in existing security measures and protection measures, or weaknesses in the use of portable storage devices or connectivity to the Internet;

  • The methods for accessing and transmitting personal information were sufficiently secure;

  • Support services from external parties should be enhanced, such as vendors and partners;

  • The responsibilities of vendors and partners is clearly defined in relation to the handling of personal information;

  • There is a need to develop new privacy-breach scenarios;

  • There were enough resources to manage the privacy breach;

  • Key personnel were given sufficient resources to manage the incident;

  • Employees were aware of security related issues;

  • Training was provided on personal information protection matters and incident management skills;

  • Employees were informed of the privacy breach and the learning points from the incident;

  • Management was involved in the management of the privacy breach;

  • There was a clear line of responsibility and communication during the management of the privacy breach.

3.     Changes to our Privacy / Data Breach Policy

CircleSource may change this policy from time to time.  Any updated versions of this privacy policy will be posted on our website. Please review it regularly.

This privacy policy was last updated on 23 January 2020.

  • Facebook - White Circle
  • Twitter - White Circle
  • LinkedIn - White Circle
  • YouTube - White Circle

Contact us

Features

Copyright © 2017. All Rights Reserved.

Contact us

Features

Copyright © 2017. All Rights Reserved.