Data Breach Policy

Purpose

The Department of Transport and Main Roads is required to manage personal information in compliance with the Information Privacy Act 2009 (Qld) (IP Act).

The purpose of this policy is to define the steps to be taken by us in the event of a data breach, specifically one that compromises the personal information of individuals.

Policy statement

This policy supports the department's compliance with the Mandatory Notification of Data Breach (MNDB) scheme and has been developed in line with the IP Act and guidance from the Office of the Information Commissioner (OIC), Queensland.

Objectives

As of 1 July 2025, the Queensland Government implemented the MNDB Scheme across all government agencies. The scheme requires agencies to publish a Data Breach Policy, as well as notify the OIC and affected individuals in the event of an eligible data breach.

Scope

This policy applies to all actual and suspected data breaches involving personal information.

Benefits

Implementation of this policy provides public accountability and transparency around the management of personal information within the department. The implementation of this policy ensures we:

• can minimise potential harms to individuals affected by data breaches
• comply with the MNDB Scheme
• empower staff to take proactive steps to contain privacy breaches, wherever possible
• have consistency in how we manage data breaches that involve personal information
• provide assistance and advice to affected individuals, such as how to protect themselves from identity theft or other forms of harm.

Applicability

This policy applies to all our permanent full time, part time, volunteer, trainee and temporary employees, contractors, consultants, third-party suppliers, vendors, and hosted managed service providers authorised to access, manage, process or store our information assets and systems.

Compliance with this policy is mandatory.

Authority

Section 73 of the IP Act requires all Queensland Government agencies to develop and implement a privacy data breach policy. The Queensland Privacy Principles (QPPs), as detailed in the department’s privacy policy, are applicable to this policy.

Personal information

Personal information means any information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion:

1. whether the information or opinion is true or not
2. whether the information or opinion is recorded in a material form or not.

What is a data breach?

A ‘data breach’ for the purpose of this policy means either of the following in relation to personal information held by the department:

1. unauthorised access to, or unauthorised disclosure of, the information.
2. the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur.

Examples of a data breach include:

Malicious or criminal attack

• Cyber incidents such as ransomware, malware, hacking, phishing or access attempts resulting in access to, leakage or theft of personal information
• Social engineering or impersonation leading into inappropriate disclosure of personal information
• Insider threats from employees using their valid credentials to access or disclose personal information outside the scope of their duties or permissions
• Theft of a physical asset such as a paper record, laptop, removable storage device or mobile phone containing personal information.

System fault

• Where a software bug allows access to a system without authentication, or results in automatically generated notices including the wrong personal information or being sent to incorrect recipients.

Human error

• When a letter or email is sent to the wrong recipient
• When system access is incorrectly granted to someone without appropriate authorisation
• When employees fail to implement appropriate password security, for example not reviewing access permissions, securing passwords, or sharing password and log in information.

What are our obligations under the Mandatory Notification of Data Breach (MNDB) Scheme?

Where we becomes aware of a data breach involving personal information, it will take all reasonable steps to:

• contain the breach
• mitigate the harm caused by the breach.

Where the breach is assessed as being an eligible data breach, we will:

• notify the Information Commissioner
• notify affected individuals.

What is an eligible data breach?

An eligible data breach occurs when:

• there is a data breach involving personal information
• the data breach is likely to result in serious harm to an individual to whom the personal information relates.

Serious harm

Serious harm occurs where the harm arising from the data breach has, or may, result in a real and substantial detrimental effect to an individual.

Serious harm includes:

• physical, psychological, emotional, or financial harm to the individual because of the access or disclosure
• serious harm to the individual's reputation because of the access or disclosure.

Examples of harms include:

• identity theft
• financial loss
• threats to personal safety
• loss of business or employment opportunities
• humiliation and embarrassment
• damage to reputation or relationships
• discrimination, bullying, or other forms of disadvantage or exclusion.

If there are reasonable grounds to believe that the data breach has resulted in or is likely to result in serious harm to one or more of the individuals to whom the information relates to, the data breach is considered an ‘eligible data breach’.

Affected individuals

An affected individual for the purpose of this policy, is a person whose personal information is subject to an eligible data breach.

Data breach response and reporting

Upon suspicion or detection of a data breach, we consider several factors in assessing a data breach including the OIC’s guidelines and will undertake the following steps in response to all data breaches containing personal information.

Step 1: Contain and report

Upon suspicion or detection of a data breach, it is essential that the incident is immediately reported to a manager/supervisor to enable containment of the breach, where feasible.

Containment will minimise any further unauthorised access or disclosure of the affected personal information.

If the breach is a suspected cyber incident, it must immediately be reported to the Information Security Unit. If the breach involves a third-party vendor/supplier, it must be immediately reported to the relevant contract manager.

We will take care to ensure that while containing a breach, information that may be required as part of an internal or external investigation into the breach is not destroyed. Containment steps are to be taken in consultation with relevant subject matter experts, depending on the nature and scope of the data breach.

Staff are required to document the incident in the Data Breach Response Form which is to be sent to the department’s Information Privacy team for assessment. The Data Breach Response Form must include details about the personal information involved in the breach and the circumstances surrounding the breach, to inform the mitigation actions and assessment.

Step 2: Evaluate and mitigate the risks associated with the data breach

The types of personal information involved in the breach, in addition to other influencing factors, give rise to a varied range of potential harms to individuals that will need to be assessed on an individual basis.

As soon as practicable, the department’s Information Privacy team will assess the data breach to make a preliminary assessment of the risk posed by the breach. Considerations of this assessment will include:

• the type of personal information involved in the breach
• the sensitivity of the information
• the number of individuals that will be affected as a result of the breach
• whether the individuals affected by the breach are vulnerable, which would increase the susceptibility to serious harm
• the individuals, or the kinds of individuals, who have gained access, or who could gain access to the information
• whether the individuals who have or could gain access to the information are likely to use the information for harmful purposes
• whether the information is protected by one or more security measures
• the likelihood that the security measures in place to protect the information could be bypassed so that an unauthorised individual would be able to gain access to the information
• requirements under any third-party agreements whose data may be affected
• any other factors that may be relevant to the circumstances of the breach.

This initial assessment will indicate the breach as a Low, Medium or High risk, according to the criteria above. Please refer to glossary below for risk rating category definitions.

For Low risk breaches, our Information Privacy team will work with the impacted business area and any required specialists to address the breach.

For Medium risk breaches, our Information Privacy team will determine whether there are reasonable grounds to assess the breach as eligible within 30 days, unless granted an extension under section 49 of the IP Act.

For High risk breaches, the Director, Right to Information, Privacy and Complaints Management (RTIPCM), Transport and Main Roads, Corporate Division will activate the Breach Response Team to coordinate the Breach Response Process.

The Breach Response Team

The Breach Response Team is responsible for carrying out and coordinating actions that can reduce the potential impact of a data breach. This team will act as the single point of management of the breach response and may consist of:

Role	Responsibilities
Director, Right to Information, Privacy and Complaints Management (RTIPCM), Corporate	Lead the assessment, mitigation and notification of the data breach.
Information Privacy team, Corporate	Assist the Director, RTIPCM in leading the assessment, mitigation and notification of the data breach.
Chief Legal Officer, Corporate	Identify and advise on any legal obligations and support the drafting of notifications and communications issued.
Director Cyber Security Operations, Enabling Solutions Group (ESG)	Provide insights on: information security matters the systems involved in the breach existing controls forensic aspects of the breach. Stand up Information Security Incident Response (ISIR) team if required.
Director (Strategy, Performance, Risk & Governance), Corporate	Advise on broader risks associated with the data breach. For example, business disruption, fraud, regulatory impacts, in addition to impacts on internal risk profiles and control environments.
Employee Relations / HR Manager/Ethical Standards	Where the breach involves the actions of a staff member, these roles will provide input on required processes. These processes could include conduct/disciplinary matters, a review of any deficits in workforce training, or external support for any employees who may be distressed about their role in or responsibility for the breach.
Organisational Communications, Corporate	To deliver timely, transparent and accurate information to stakeholders, manage public and internal messaging.
Relevant Information Asset Custodians and any internal or external subject matter experts	To assist in undertaking the assessment and mitigation of the data breach.

Members of the Breach Response Team will be called upon where relevant, to provide input on the coordination of the breach response. All members of the Breach Response Team are briefed on their role and responsibilities and will use their expertise to provide appropriate direction on the assessment of the breach.

If the breach involves multiple agencies, we will liaise with the relevant agency to determine who will be responsible for assessing the breach and whether a joint response should be formed.

Step 3: Notify

Unless an exemption applies, the department's Information Privacy team will assist the Information Asset Custodian in notifying affected individuals, the OIC and any other relevant parties of an eligible data breach. Other relevant parties may include:

• Minister for Transport and Main Roads
• Director-General, Transport and Main Roads
• Queensland Police Service
• Crime and Corruption Commission Queensland
• Queensland Government Chief Information Officer
• Office of the Australian Information Commissioner
• Australian Taxation Office
• Australian Cyber Security Centre
• any third-party organisations or agencies whose data may be affected
• financial services providers
• professional associations or regulatory bodies.

Notification of an eligible breach to the OIC will include:

• whether we are reporting on behalf of other agencies affected by the same data breach and, if so, the details of the other agencies
• the date the data breach occurred (if known)
• a description of the data breach, including the type of eligible data breach
• information about how the data breach occurred
• if the data breach involved unauthorised access to or disclosure of personal information, the period during which the access or disclosure was available or made
• the steps we have taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach
• the department’s recommendations about the steps affected individuals should take in response to the data breach
• the number of individuals whose personal information was accessed, disclosed or lost and affected individuals for the data breach
• the total number of individuals notified of the data breach or, if it is not reasonably practicable to work out the total number, an estimate of the total number
• whether the notified individuals have been advised how to make a privacy complaint to us.

Unless an exemption applies, as soon as practicable after forming a reasonable belief that a data breach is an eligible data breach, we will notify affected individuals:

• the contact details of the department or a person nominated by us for further queries about the data breach
• the date the data breach occurred (if known)
• a description of the data breach
• information about how the data breach occurred
• the department’s recommendations about the steps an affected individual should take in response to the data breach
• if the data breach involved unauthorised access to or disclosure of personal information, the period during which the access or disclosure was available or made
• the steps we have taken or will take to contain the data breach and mitigate any harm caused to affected individuals
• information about how an individual can make a formal privacy complaint.

The method of notification will be determined on a case-by-case basis. Where we are unable to notify all affected individuals, alternative communication will be considered, such as a public notification on its website.

Notification is not mandatory for breaches outside the scope of an eligible data breach. However, the department considers reasonable expectations of the individuals concerned when deciding to notify in these instances.

Tax file numbers

Although the department is exempt from the federal Privacy Act 1988 (Cth), any data breach involving tax file numbers must be handled in accordance with the mandatory notifiable data breach scheme under the federal Act. This includes notification to the affected individuals and to the Australian Office of the Information Commissioner.

Step 4: Post breach review and evaluation

After a data breach has been resolved, a post breach review may be conducted on:

• the root cause of the data breach
• assets/controls impacted, and identification of improvements for the environment
• monitoring systems to identify areas for uplift revision
• relevant policies and procedures to reflect the lessons learned from the review
• service delivery practices that were involved in the breach.

For High risk rated breaches, we will conduct a post breach review and report recommended actions to the relevant business areas.

Step 5: Recordkeeping requirements

The department keeps records of data breaches in line with our obligations under the Public Records Act 2023. We also maintain an internal register of eligible data breaches, consistent with our obligation under section 72 of the IP Act.

How the department prepares for a data breach

Maintaining a record of the types of personal information held

We hold an enterprise information asset register that lists the kinds of information captured and what systems and databases house this information.

Restricting access to personal information

We restrict access to the systems and software platforms containing personal information on a needs-only basis. Limiting the access of personal information to those who need the information to be able to perform their role is crucial in reducing the potential for unauthorised access or disclosure.

Robust security framework

The department operates an Information Security Management System (ISMS) that applies a consistent, risk-based approach to ensure our systems and information are understood and effectively managed. Our ISMS aligns to the Queensland Government Information and Cyber Security Policy (IS18), which requires all government agencies implement an ISMS based on ISO27001, and that agency executives confirm the appropriateness of agency information security.

Information governance structure

Under the Queensland Government’s Information asset custodianship policy (IS44), the department identifies, registers and assigns roles and responsibilities to information assets.

Our information governance structure ensures information is protected in accordance with the Information and cyber security policy (IS18), and that records are disposed of in accordance with the Public Records Act 2023.

Regularly reviewing and updating our privacy practices

In response to continuing advancements in technology and new emerging privacy threats, we consistently integrates privacy considerations into the development of new systems and programs that involve personal information, embedding data protection from the outset.

Regular reviews on privacy procedures, policies, training materials and privacy collection notices are conducted to ensure they are current and operate in line with best practice. These actions enhance our ability to fulfil our legislative duties when managing personal information and to prevent data breaches.

Education on breach prevention and identification

Our staff play a vital role in data breach preparation measures. Through regular information privacy and cyber security education, awareness initiatives, and mandatory annual training, staff are equipped with practical strategies to uphold our privacy compliance obligations and to effectively identify and report privacy breaches.

Roles and Key Responsibilities

All of our employees have a responsibility to ensure personal information they handle in the performance of their duties is managed in accordance with the IP Act.

A high-level overview of responsibilities within the department is below.

Role	Responsibilities
Director-General	The Director-General provides strategic leadership, oversight, and accountability for the department's breach policy, ensuring compliance, effective incident response, and continuous improvement.
Information Asset Custodians	General Managers (GM), or equivalent hold the responsibility for data/information in their respective business units. Where a serious harm data breach has occurred, or a breach that has affected many individuals, the GM will advise the relevant Deputy Director-General and the Director-General.
Managers and supervisors	Managers and supervisors are responsible for taking immediate steps to ensure the department’s Data Breach Response Form is completed and forwarded to the Information Privacy team for assessment Additionally, they must notify the relevant Information Asset Custodian (GM or equivalent) and any other relevant parties of a breach. This list is not exhaustive and any business area within the department may be a relevant party.
Employees, consultants, contractors and managed service providers	All employees, consultants, contractors and managed service providers are responsible for: recognising a data breach and promptly reporting it only collecting or using personal information in accordance with our QPP policy restricting access to information only to those that require it for their role only keeping information for the length of time necessary in accordance with the retention and disposal schedules understanding their obligations under all relevant legislation, policies, procedures and guidelines, including the Code of Conduct for Queensland Public Service, and by undertaking the mandatory annual information privacy and cyber security training.
Information Security Unit	The Information Security Unit manages and maintains the the department's Information Security Management System in accordance with the Queensland Government Information Security Policy IS18. Additionally, the Information Security Unit is responsible for: notifying the Information Privacy team where an actual or suspected breach may involve personal information assist with the appropriate and necessary containment measures, root cause eradication and post breach review providing guidance and training to Employees on best practice for cyber security.
Information Privacy team	The Information Privacy team are the central area to be contacted for all data breaches containing personal information and are responsible for: Our Data Breach Response Plan, notification forms and templates, and central breach register that will be used to manage and record details of the incident assessment of data breaches containing personal information co-ordinating notification of an eligible data breach to the OIC and affected individuals educating employees about data breaches and recommending improvement to processes that will reduce the risk of future incidents reviewing and updating our QPP Policy and this Privacy Data Breach Policy.
Ethical Standards Unit	The Ethical Standards Unit are responsible for investigating an incident to determine whether serious misconduct or corrupt conduct has occurred or whether the reporting of an incident may be a public interest disclosure under the Public Interest Disclosures Act 2010.

Service providers and contract provisions

We often outsources functions to external service providers. Where a contractor or service provider manages personal information on behalf of us to provide a service or product, they are bound by legally binding contracts, memorandums of understanding or other information data sharing agreements to protect this information. With all new contracts, we will consider including specific clauses including:

• obligations to promptly report data breaches
• a requirement to contain and mitigate in response to data breaches
• a requirement to assist and cooperate with us with data breach assessments and responses.

Supporting documents

This policy is supported by the department's:

• QPP policy
• Cyber Incident Response Plan
• Information Security Policy

Implementation and review

This policy takes effect on 1 July 2025 and will be reviewed every two years to ensure it meets business needs and best practice guidelines.

Information used to inform the review may include:

• feedback received from customers, stakeholders and staff
• the results of internal or external reviews, audits or evaluations
• any changes in policy, legislation or organisational structure.

Further information and contacts

For further information about this Policy, an eligible data breach or matters relating to Information Privacy within the department please contact:

Information Privacy
Right to Information, Privacy and Complaints Management
Department of Transport and Main Roads
GPO Box 1549
Brisbane Qld 4001
Email: [email protected]

Glossary

Term	Definition
Affected Individual	A living individual whose personal information is subject to an eligible data breach.
Data breach	Unauthorised access to, or unauthorised disclosure of, personal information.
Eligible Data Breach	When there is a loss, unauthorised access to, or disclosure of, personal information held by us, which is likely to result in serious harm.
IP Act	The Information Privacy Act 2009
Level of Risk Rating	Low: involves unauthorised access to or disclosure of personal information that is unlikely to cause any harm or distress to the individuals affected the information disclosed is publicly available or considered low sensitivity (such as name or title in a public context) there is little to no risk of identity theft or financial loss resulting from the breach the breach involves a small number of people. Medium: involves unauthorised access to or disclosure of personal information that may cause some harm or distress to the individuals affected the information disclosed is of moderate sensitivity and may include contact details there is a moderate risk of identity theft or potential misuse of the information the breach could potentially lead to reputational damage, embarrassment, or inconvenience to the individuals involved the breach affects a moderate number of individuals. High: involves unauthorised access to or disclosure of personal information that is likely to cause significant harm or distress to the individuals affected the information disclosed is considered highly sensitive and may include health records, financial details, identification numbers, or other data that can be used for identity theft there is a high risk of the information being used for malicious purposes, such as financial fraud, blackmail, or significant privacy invasions the breach could lead to serious reputational damage, psychological stress, safety concerns, or discrimination against the individuals involved the breach affects many individuals or targets specific groups vulnerable to harm.
MNDB	Mandatory notification of data breach (MNDB) scheme. The MNDB scheme requires the assessment of whether a data breach is an Eligible data breach requiring mandatory notification to the OIC and affected individuals.
OIC	Queensland Office of the Information Commissioner
Personal information	Personal information means any information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion whether the information or opinion is true or not whether the information or opinion is recorded in a material form or not.
QPP	The Queensland Privacy Principles (QPPs)
Serious Harm	Serious harm is defined in schedule 5 of the IP Act as including: physical, psychological, reputational, emotional, or financial harm to the individual because of the loss, access or disclosure of personal information.
TMR	The Department of Transport and Main Roads