This policy provides an overview of the mechanism for NSW Treasury to respond to and manage privacy data breaches. Privacy data breaches might be non-technical in nature (i.e. human error) or have a cyber security component (i.e. a cyber incident resulting in a privacy data breach). It is important to note that the foundations of this policy apply to privacy rather than cybersecurity. Matters relating to the technical aspects of cybersecurity and the policies surrounding the governance of Information Technology (IT) systems should be dealt with under NSW Treasury’s IT, Risk and Information policies and procedures.
When an incident involves the potential exposure of ‘personal information’, it becomes a privacy incident and possibly a notifiable ‘data breach’ under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
NSW Treasury will follow a risk management approach to dealing with security and privacy threats. Privacy data breaches are to be evaluated on a case-by-case basis and actions taken according to an assessment of risks and responsibilities in the particular circumstances. This document forms part of NSW Treasury’s adherence to its responsibilities under privacy and other laws.