What is a data breach?

A ‘data breach’ means either of the following in relation to information held by UQ: 

  1. unauthorised access to, or unauthorised disclosure of the information. 
  2. the loss of the information where unauthorised access, or unauthorised disclosure of the information is likely to occur.

Data breaches can be caused by:

  • cyber security incidents (e.g. malware, phishing, system vulnerabilities, etc.)
  • accidents or operational error (e.g. sending personal information to a third party by accident, or sending a HR file to the wrong person, etc.)

UQ has responsibilities under the Information Privacy Act 2009 regarding data breaches, and these are defined in UQ’s Data Breach Policy. Responsibilities include:

  • Containing data breaches and mitigating harms.
  • Assessing all data breaches to determine if they are ‘eligible data breaches’ (data breaches likely to result in serious harm to individual/s).
  • Notifying the information commissioner and other individuals (e.g. impacted individuals) about eligible data breaches.
  • Maintaining a register of eligible data breaches.

All UQ staff play a role to:

  • minimise the likelihood of data breaches 
  • ensure UQ can respond to data breaches effectively and meet our regulatory obligations, and 
  • minimise harms associated with data breaches. 
Top of page

What to do if a data breach occurs

If you suspect a data breach has occurred, it is important to report it as soon as possible. 

> suspected data breaches that are also potential cyber security incidents - report to cyber security UQ 

> other suspected data breaches (including accidental breaches) - report to the Privacy Officer

Refer to the Data Breach Policy for more information. 
 

Top of page

How to prevent data breaches 

Cyber security best practice

Refer to guidance from the cyber security team on how to protect yourself and protect UQ from cyber-attacks. 

Data handling best practice

According to the Office of the Australian Information Commissioner, almost one third of data breaches in Australia are caused by human error. 

Proper data handling is key to avoiding a data breach. Refer to the Data Handling Procedure for more information. 

File storage

  • Store your files appropriately – refer to guidance on Where to store your files.
  • Avoid keeping copies of documents or files. This reduces the impact of a data breach.
  • Retain records for the appropriate timeframes and dispose securely – refer to our guidance on retention and destruction.

File sharing 

  • Use sensitivity labels on documents and emails to ensure they cannot be shared further – see Information Security Classifications to learn more.
  • Avoid sending attachments via email. Instead, share files with specific individuals via M365 sharing links. Be mindful of sharing the correct links with the correct individuals. 
  • Remove confidential information from email trails if necessary, before forwarding on to new recipients.
  • Share data securely (internally and externally) – see guidance on Data Sharing Agreements.
  • Collaboration – refer to our article on How to collaborate securely.

Your work area

  • Keep a clean desk policy – don’t keep confidential documents on your desk. 
  • If you are printing documents, be cautious when handling SENSITIVE or PROTECTED documents. Don’t walk away from the printer while the documents are still printing, or leave documents unattended in the printer tray.
  • Don’t discuss confidential information or undertake confidential work in public. 
  • Don’t overshare on social media. This includes LinkedIn and X(Twitter), which are commonly used for professional networking and updates.
     
Top of page