From:
Sent:
Friday, 25 May 2018 13:52
To:
Subject:
RE: DBN18 00218 2018-05 - NDB notification [SEC=UNCLASSIFIED]
,
Thank you for the further information.
I will be in touch soon to provide further advice and guidance in relation to the notification requirement given the
circumstances.
Kind Regards
|
|
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
Phone:
| Fax:
|
From:
Sent: Friday, 25 May 2018 12:27 PM
To:
Subject: RE: DBN18 00218 2018-05 - NDB notification [SEC=UNCLASSIFIED]
UNCLASSIFIED
Good afternoon
Further to your telephone call in relation to this data breach matter, please find attached a copy of the
email sent to the protected discloser (whistleblower) apologising for the incorrectly addressed email, as
well as a copy of the email to the recipient who received the misdirected email and deleted it.
I confirm that in relation to your request as to whether the name of the person complained about in the
protected disclosure was mentioned in the material sent to the incorrect email address: yes, the official’s
name and title were included in the emailed material.
I also note that when asked for consent for the ROC to contact the organisation to follow up the protected
disclosure allegations, the discloser expressly declined to give that consent.
If the person complained about in the protected disclosure is informed of the matter, it would be the first
that they heard about the matter and the fact that the agency concerned is the ROC would make it
apparent to that person that it concerns a protected disclosure. I also consider that the risk of reprisals
against the protected discloser is significant.
1
In terms of remedial measures, all staff were advised of the nature of the incident at the all staff meeting
on 17 May 2018 and the importance of preventing such data breaches was stressed. Staff were actively
encouraged to delete ‘auto-complete’ email addresses that come up when typing in an email recipient, in
order to avoid misdirection of emails. Training on topics such as information security and privacy is also
being implemented on an ongoing basis.
Happy to discuss further.
Kind regards
Registered Organisations Commission
Tel:
Mobile:
GPO Box 2983, MELBOURNE VIC 3001 |
Did you know? We have a free email subscription service to send out important updates and newsletters.
Subscribe here
www.roc.gov.au
Please consider the environment before printing this message
From:
Sent: Friday, 25 May 2018 12:06 PM
To:
Subject: RE: DBN18 00218 2018-05 - NDB notification [SEC=UNCLASSIFIED]
,
I have attached a copy of the form to this email.
2
On a further note to our conversation, are you able to provide more information in relation to actions to prevent
reoccurrence?
Much appreciated.
Regards
|
|
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
Phone:
| Fax:
|
From:
Sent: Monday, 14 May 2018 7:40 AM
To: Enquiries <xxxxxxxxx@xxxx.xxx.xx>
Subject: RE: DBN18 00218 2018-05 - NDB notification [SEC=UNCLASSIFIED]
UNCLASSIFIED
Good morning
Can you please forward me a copy of my completed notification form? The PDF copy didn’t come through with the
automated lodgement response.
Best regards
Registered Organisations Commission
Tel:
Mobile:
GPO Box 2983, MELBOURNE VIC 3001 |
Did you know? We have a free email subscription service to send out important updates and newsletters.
Subscribe here
www.roc.gov.au
3
Please consider the environment before printing this message
From: Enquiries <xxxxxxxxx@xxxx.xxx.xx>
Sent: Friday, 11 May 2018 3:55 PM
To:
Subject: DBN18 00218 2018-05 NDB Acknowledgement Letter - (1).doc [SEC=UNCLASSIFIED]
Our reference: DBN18/00218
Dear
Thank you for your statement notifying the Information Commissioner of an eligible data breach involving
Registered Organisations Commission.
In most instances, the information provided in the statement is sufficient and you will not receive any
further correspondence from the Office of the Australian Information Commissioner in relation to the
incident.
If we require any further information, we will be in contact. If we receive a complaint from individuals
affected by the incident, we will deal with that complaint on its merits and will refer to the information
provided in your statement.
Further resources
Entities covered by the Privacy Act 1988 (Cth) have obligations under Australian Privacy Principle (APP) 11
to take reasonable steps to protect the personal information they hold from misuse, interference and loss,
and unauthorised access, modification or disclosure. APP 6 also limits the circumstances in which an APP
entity is permitted to disclose the personal information it holds. Please visit our website for more
information on the APPs.
The OAIC’s Guide to securing personal information contains information about reasonable steps APP
entities should consider taking to protect the personal information as required by APP 11 of the Privacy
Act.
You may also find the OAIC’s Data breach preparation and response: a guide to managing data breaches in
accordance with the Privacy Act 1988 (Cth) useful in preparing for and responding to future data breaches.
If the breach you have reported is a cyber security incident, you could also report it to the Australian Cyber
Security Centre (ACSC). The ACSC can provide advice to organisations that have experienced a data breach,
4
and reports to the ACSC help build the Australian Government’s understanding of the cyber threat
environment.
Yours sincerely
Office of the Australian Information Commissioner
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
Notice:
The information contained in this email message and any attached files may be confidential information,
and may also be the subject of legal professional privilege. If you are not the intended recipient any use,
disclosure or copying of this email is unauthorised. If you received this email in error, please notify the
sender by contacting the department's switchboard on 1300 488 064 during business hours (8:30am - 5pm
Local time) and delete all copies of this transmission together with any attachments.
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
Notice:
The information contained in this email message and any attached files may be confidential information,
and may also be the subject of legal professional privilege. If you are not the intended recipient any use,
disclosure or copying of this email is unauthorised. If you received this email in error, please notify the
5
sender by contacting the department's switchboard on 1300 488 064 during business hours (8:30am - 5pm
Local time) and delete all copies of this transmission together with any attachments.
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
6