Purpose

National Training Organisation (NTO) is committed to protecting the personal information of students, staff, and stakeholders. This policy outlines the steps NTO will take to identify, assess, and respond to a data breach in compliance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme.

Scope

This policy applies to all personal, financial, and health information held by NTO, including data stored electronically and in physical formats. It covers:

• Students enrolled in NTO courses.
• Staff, contractors, and third-party service providers engaged by NTO.

Definition of a Data Breach

A data breach occurs when personal information is lost or subjected to unauthorised access, modification, disclosure, or misuse. Examples include:

• Unauthorised access: Cyberattacks, hacking, phishing, or unauthorised system access.
• Accidental disclosure: Emails sent to the wrong recipient, system errors, or misconfigured databases.
• Loss of data: Theft or loss of physical documents, computers, or storage devices.
• Employee misuse: Unauthorised access or misuse of data by staff or contractors.

A data breach is deemed an eligible data breach under the NDB scheme if it is likely to result in serious harm to affected individuals and cannot be mitigated.

Data Breach Response Plan

NTO follows a structured four-step process to respond to data breaches:

Step 1: Identification and Immediate Containment

• Any staff member or contractor who becomes aware of a potential breach must immediately notify the Privacy Officer and Senior Management.

The Privacy Officer will:

• Assess the situation and take immediate steps to contain the breach.
• Implement containment measures, such as revoking access to compromised systems or resetting passwords.

Step 2: Risk Assessment

The Privacy Officer, in consultation with IT and relevant personnel, will assess:

• The nature and extent of the breach.
• The risk of serious harm to affected individuals.
• Whether remedial action has mitigated the risk.

Step 3: Notification

If the breach is an eligible data breach, NTO will notify:

• Affected individuals: Providing details of the breach and recommended actions.
• Office of the Australian Information Commissioner (OAIC): Submitting a formal statement as required under the NDB scheme.

Step 4: Review and Prevention Measures

NTO will conduct a post-incident review to:

• Identify the root cause of the breach.
• Implement corrective actions (e.g., additional security controls, policy updates, staff training).

Roles and Responsibilities

Privacy Officer

• Leads the response to data breaches.
• Conducts risk assessments and determines whether notification is required.

IT Security Team & Senior Management

• Investigates technical aspects of the breach.
• Implements containment measures and provides recommendations for improving cybersecurity practices.

All Staff and Contractors

• Report any suspected data breaches immediately.
• Follow security protocols to minimise data risks.

Reporting suspected data breeches or concerns

• Data breaches must be reported internally using NTO’s Incident Report Form.
• NTO will maintain a Data Breach Register to document all reported breaches, actions taken, and outcomes.
• Regular audits and cybersecurity assessments will be conducted to strengthen data protection.

Reporting suspected data breeches or concerns

For any concerns regarding data security or to report a data breach, please contact:

National Training Organisation
PO Box 7222, Silverwater NSW 1811
Email: privacyofficer@nto.com.au
Phone: 1300 13 22 13