Data Incident Management
Eight-stage response workflow with strict timeframes, MNDB Scheme notification requirements, and different procedures for Data.NSW versus agency portals. Includes documentation templates and evidence preservation protocols.
Purpose
Provide a clear protocol for handling data breaches or inadvertent publication of sensitive information in open datasets.
Despite best efforts to safeguard open data, personal or otherwise sensitive data may be released. It is important to manage this quickly and effectively to minimise potential harm to individuals, businesses, the environment, or government. This protocol aligns with the NSW Mandatory Notification of Data Breach (MNDB) Scheme and the IPC's guidance on data breach management.
All agencies must have a local data incident management plan in place before publishing open data. This section outlines the minimum requirements for such a plan in the context of open data publishing.
Data Incident Response Workflow
| Stage | Actions | Responsible Roles | Timeframe |
|---|---|---|---|
| 1. Detection | Identify potential data breach in published open data | Any staff member can report | Immediate |
| Document when and how the incident was discovered | Data Publisher | Immediate | |
| Secure evidence of the breach | Data Custodian | Immediate | |
| 2. Containment | Remove affected dataset from public access | Data Publisher (primary) | Within 2 hours of detection |
| Disable APIs or data services if necessary | Business System Owner | Within 2 hours of detection | |
| Document what data was compromised | Data Custodian | Within 2 hours of detection | |
| Preserve evidence for investigation | Data Custodian | Within 2 hours of detection | |
| 3. Internal Reporting | Notify Chief Data Officer | Data Custodian | Within 4 hours of detection |
| Report to agency privacy officer | Data Custodian | Within 4 hours of detection | |
| Engage cyber security team if relevant | Data Custodian | Within 4 hours of detection | |
| Activate agency data breach response team | Data Custodian | Within 4 hours of detection | |
| 4. Risk Assessment | Identify type of information exposed | Data Custodian | Within 24 hours of detection |
| Determine if personal or sensitive information was released | Legal Advisor | Within 24 hours of detection | |
| Assess potential for harm | Subject Matter Expert | Within 24 hours of detection | |
| Determine if incident qualifies as an 'eligible data breach' under MNDB Scheme | Cyber Security Advisor | Within 24 hours of detection | |
| 5. External Notification | Notify Privacy Commissioner (if required under MNDB Scheme) | Chief Data Officer | Within timeframes specified by MNDB Scheme (typically within 30 days of becoming aware) |
| Notify affected individuals (if required) | Chief Data Officer | Within timeframes specified by MNDB Scheme (typically within 30 days of becoming aware) | |
| Consider notification to other relevant authorities | Subject Matter Expert | Within timeframes specified by MNDB Scheme (typically within 30 days of becoming aware) | |
| 6. Remediation | Correct the dataset | Chief Data Officer | Before republication |
| Apply additional safeguards | Subject Matter Expert | Before republication | |
| Consider alternative publication methods | Data Custodian | Before republication | |
| Review and approve corrected data | Chief Data Officer | Before republication | |
| 7. Republication | Republish corrected dataset | Data Publisher | After approval of remediated data |
| Document changes made | Data Custodian | After approval of remediated data | |
| Update metadata and documentation | Data Custodian | After approval of remediated data | |
| 8. Post-Incident Review | Conduct root cause analysis | Data Custodian | Within 14 days of resolution |
| Document lessons learned | Subject Matter Expert | Within 14 days of resolution | |
| Update procedures to prevent recurrence | Business System Owner | Within 14 days of resolution | |
| Report to Chief Data Officer | Data Custodian | Within 14 days of resolution |
For datasets published on Data.NSW
| Action | Detials |
|---|---|
| Contact the NSW Data Analytics Centre (DAC) immediately | Via data@customerservice.nsw.gov.au |
| Wait for DAC response | DAC will temporarily unpublish the dataset while investigation occurs |
| Continue internal processes | Follow the workflow above in parallel with DAC processes |
| Obtain approval before republication | DAC approval is required before the dataset can be republished |
For datasets published on agency-specific portals
| Action | Detials |
|---|---|
| Follow established procedures | Use the agency's established incident response procedures |
| Remove dataset immediately | Take the dataset offline from public access as soon as possible |
| Disable API access if applicable | If APIs are involved, disable or restrict access until remediated |
| Document all removal actions | Keep detailed records of all actions taken to remove/restrict data access |
Maintain detailed records of
| Documentation Element | Description |
|---|---|
| Nature of the breach | What type of breach occurred and how |
| Affected data | What specific data elements were compromised |
| Detection timeline | When the breach was detected and by whom |
| Containment actions | Steps taken to contain and rectify the situation |
| Notifications | Record of all notifications made internally and externally |
| Preventative measures | Actions implemented to prevent similar incidents |
Agencies should prepare templates for
| Template Type | Purpose |
|---|---|
| Internal incident reports | For documenting and reporting incidents within the agency |
| Privacy Commissioner notifications | For formal notification to the Privacy Commissioner |
| Communications to affected individuals | For clear, concise communication with affected parties |