The Residential Tenancies Authority (RTA) is committed to respecting the privacy and ensuring the security, accuracy and integrity of personal information regarding all customers, staff and contractors who receive or provide our services. The RTA complies with the Queensland Privacy Principles (QPP) set out in the Information Privacy Act 2009 (Qld) (IP Act). How the RTA manages personal information is detailed in our privacy policy and Privacy plan.

The IP Act regulates how the Queensland government agencies, such as the Residential Tenancies Authority, must comply with the requirements of the Mandatory Notification Data Breach Scheme (MNDB Scheme). 

The purpose of this policy is to:

• identify the concepts of data breach including an eligible data breach
• identify the obligations under the MNDB Scheme
• outline the principles for reporting and responding to a data breach including a suspected eligible data breach

Under the MNDB Scheme, the IP Act requires the RTA to notify the Queensland Information Commissioner and affected individuals of data breaches involving personal information (unless an exemption applies) where it is likely that the data breach will result in serious harm.

The Human Rights Act 2019 (Qld) requires proper consideration to be given to human rights where the RTA is contemplating a decision that may affect or limit a human right. This Data breach policy together with the Privacy and data breach procedure supports compliance with the Human Rights Act by facilitating the proper handling and security of personal information and in this way contributing to protection of human rights, including privacy and reputation.

This policy applies to all RTA staff (permanent, temporary and casual) and all other organisations and individuals acting as its agents (including contractors and consultants).

Data breach

A data breach means unauthorised access to, or unauthorised disclosure of information, or loss of information in circumstances where unauthorised access or unauthorised disclosure is likely to occur. A data breach in general includes ALL types of information. A data breach is commonly referred to as a privacy breach.

All data breaches must be notified and assessed individually to determine whether the data breach includes personal information. If the data breach includes personal information and is likely to result in serious harm to an individual it will be an ‘eligible data breach' and will therefore fall within the notification requirements of the MNDB Scheme.

A data breach may be caused by malicious action (by an external or internal party), human error or a systemic information handling or information security breakdown.

Some examples of data breaches:

• phishing emails which trick a user into performing an action or providing information
• an email is sent to the wrong recipient
• a file is left in a public place
• lost or stolen laptops and removeable storage devices, where that information is not encrypted
• physical files containing personal information
• a staff member accessing a customer record without having a valid work reason for doing so.

Eligible data breach

The MNDB Scheme applies where a suspected or confirmed eligible data breach has occurred.

An eligible data breach is one in which both of the following apply:

• the data breach involves unauthorised access to, unauthorised disclosure of, or loss of personal information held by the RTA; and
• the unauthorised access or disclosure is likely to result in serious harm to an individual.

Personal information is defined by s 12 of the IP Act as

…information or an opinion about an identified individual or an individual who is reasonably

identifiable from the information or opinion—

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

The harm that potentially arises from a data breach will vary depending on the nature of the personal information and the context of the data breach.

Serious harm is defined as including:

• serious physical, psychological, emotional, or financial harm to the individual because of the access or disclosure or
• serious harm to the individual’s reputation because of the access or disclosure.

The requirement for the risk of serious harm to an individual must be more than a mere possibility, it must be more probable than not. It is not necessary to identify specific individuals who may be harmed, to determine that serious harm is likely to occur for one or more individuals. This is an objective test to be determined based on the facts of a specific breach.

Some of the factors the RTA will use in determining serious harm and whether it is likely to result from the data breach may include:

• the kind of personal information accessed, disclosed or lost
• the sensitivity of the personal information
• whether the personal information is protected by one or more security measures
• if the personal information is protected by one or more security measures, the likelihood that any of those security measures could be overcome
• the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information
• the nature of the harm likely to result from the data breach, and
• any other relevant matter.

A data breach may occur within the RTA due to other external persons or entities access data without proper authorisation. A data breach may be due to human error, system or process errors or deliberate acts to access personal information.

The RTA maintains a range of measures and controls to ensure the security of the personal information it collects, uses and discloses. All staff have a responsibility to report confirmed or suspected data breaches regardless of whether they meet the criteria of an eligible data breach.

A data breach by a third-party provider may be subject to the MNDB Scheme depending on whether the RTA has a legal basis that it ‘held or holds’ the personal information or whether the information is ‘under the control’ of the RTA. 

The RTA recognises the benefits that responding to and reporting of suspected or confirmed data breaches provide to the organisation both in preventing further data breaches as well as providing opportunities for the individuals affected by a data breach to take steps to protect their personal circumstances.

The RTA will take all reasonable steps to contain and minimise the harm that may result as a consequence of a data breach.

Stage 1 - Preparation

The RTA has the following measures in place to prepare for a data breach.

• A data governance framework encompassing policies and procedures including, but not limited to; privacy plan, privacy and data breach procedure, privacy and data breach work instruction, records management and governance policy, information security management policy, IT incident management and response procedure, Incident Response Plan (IRP)
• Mandatory cyber security awareness training to assist staff in preventing cyber incidents and avoiding security breaches.
• An Information Security Management System (ISMS based on ISO 27001)
• Information privacy awareness training on collection, use and disclosure of personal information.

Where the RTA has contracts with external service providers, appropriate privacy obligations will be included in any contracts which outline the information provided, a data breach response plan including timeframes for reporting suspected breaches and provisions around the disposal of data upon termination of the contract.

Stage 2 - Identification

The RTA will undertake a systemic approach to managing a data breach. At all times the underlying principle of contain and mitigate will apply in order to minimise any risk of harm that may result from the data breach.

A data breach may be identified by:

• a cyber security breach through monitoring activities
• a staff member identifying an incident
• a staff member identifying a suspected breach through auditing activities
• a member of the public making a privacy complaint about how the RTA has managed personal information.

All staff who receive notification of a suspected data breach are responsible for reporting it to the Privacy Officer by emailing privacy@rta.qld.gov.au.

Stage 3 - Containment and mitigation

All reasonable steps will be taken to contain the data breach. The obligation to contain and mitigate any harm arising from the data breach is ongoing. The containment measures will depend on the nature of the data breach and may include:

• making efforts to recover the personal information
• securing, restricting access to, or shutting down breached systems in consultation with relevant stakeholders
• suspending the activity that led to the data breach
• revoking or changing access codes or passwords.

Reasonable steps will be taken to contain the breach and take appropriate actions to reduce the risk of serious harm for affected individuals.

Stage 4 - Assessment

The Privacy Officer will initiate an assessment of the severity/impact of the breach and may establish an incident response team to support the assessment and subsequent actions under this procedure.

Some of the factors that may lead to an incident response team being convened include but aren’t limited to:

• the number of individuals affected by the breach
• the breach includes multiple services
• the breach requires input from specialty advisors
• the breach may cause significant harm to individuals affected by the breach
• the breach (actual or alleged) has been reported in the media.

The members involved in the incident response team will be dependent on the nature of the breach and specialist advice needed. For example, a data breach involving a paper record may not require expertise from the cybersecurity officer.

Where an incident response team is not activated, the activities to identify, treat and mitigate harm from the eligible data breach event will be undertaken by the Privacy Officer with the support of the Governance, Risk and Compliance (GRC) team and the service/s involved in the data breach.

Some of the factors that the Privacy Officer may consider when assessing a data breach include (but are not limited to):

• the types of information involved in the breach
• the sensitivity of the personal information involved in the breach
• whether the personal information is protected by one or more security measures
• if the personal information is protected by one or more security measures, the likelihood of these measures being overcome
• the kinds of person/s who have or could obtain the personal information
• the nature of the harm likely to result from the data breach

As soon as practicable but not later than 30 days of becoming aware of a data breach, a decision on whether it is an eligible data breach will be made. Where it is not possible to conclude that the data breach meets the threshold of an eligible data breach within the first 30 days, an extension of time which is reasonably required may be approved by the Chief Assurance Officer to complete the assessment.

If an extension is approved, the RTA must give written notice to the Information Commissioner as soon as practicable but no later than the first 30 days.

If the data breach involves a cybersecurity incident, the Queensland Government

Information Security Virtual Response Team (QGISVRT) may provide expert assistance in containing and assessing the data that may have been affected by the data breach.

Each data breach will be assessed on an individual basis.

Stage 5 - Notification

The RTA must notify the Information Commissioner as soon as practicable after forming the belief the data breach is an eligible data breach. For any data breach that does not meet the criteria as an eligible data breach, consideration will be given to voluntarily reporting the data breach to the Information Commissioner.

Unless an exemption applies, the RTA, in consultation with relevant business units, will take reasonable steps to facilitate notification to:

• each individual whose personal information was impacted by the eligible data breach, or
• each affected individual, or
• issue a public statement of the eligible data breach if notification to individuals is not reasonably practicable.

The method of communication with individuals will be determined on a case-by-case basis and may include communication through email, telephone or post.

The RTA will determine whether notification to other agencies or third parties is necessary. Depending on the nature of the eligible data breach, this may include the police, insurance

providers, or other State or Commonwealth government agencies.

Where an eligible data breach involves the personal information of children, consideration will be given to the age of the child and whether it is appropriate to provide notification directly to the child or to their parent or guardian. In many cases, if the child is 16 years or over it may be appropriate to provide notification directly to the child.

There is no requirement to notify individuals whose personal information was not involved in the eligible data breach. However, if in the circumstances of the data breach, an individual is identified who is likely to suffer harm for other reasons, RTA may consider notifying these individuals if it is possible to do so without the risk of further breaches.

Stage 6 - Post-breach review and evaluation

Action will be taken to seek to identify and eliminate the root cause of the data breach during the stages of managing the event. Depending on the cause of the data breach and the steps put in place to contain the data breach, further steps may be required to return to normal operation.

Following the management of an eligible data breach, a post breach review and evaluation may occur to consider any lessons learnt from either the breach itself or the process for managing the data breach.

The complexity of the post-breach review and evaluation process will depend on the severity of the eligible data breach that was investigated. An eligible data breach that required the activation of an incident response team should include all team members consulted as well as other staff members who were involved in the response.

The RTA maintains an internal register of privacy/data breaches, including eligible data breaches, which is managed by the Governance, Risk and Compliance team. The RTA will comply with statutory reporting requirements, publishing to the RTA website at www.rta.qld.gov.au.

A number of documents may need to be prepared in responding to a data breach or providing notification under the MNDB Scheme. These documents will be stored in accordance with RTA record keeping processes under the Public Records Act 2023.

Where an eligible data breach is reasonably suspected or confirmed, notification will be provided to the Information Commissioner in the required form.

This policy has been reviewed in line with the Human Rights Act 2019 (Qld) and no human rights have been limited by the processes outlined in this document. More generally, the policy should help achieve a positive outcome for the human right of privacy. 

• Information Privacy Act 2009 (Qld)
• Right to Information Act 2009 (Qld)
• Human Rights Act 2019 (Qld)
• Public Records Act 2023 (Qld)
• Information Privacy and Other Legislation Amendment Act 2023 (IPOLA Act)