This policy describes how LightYear Docs Pty Ltd (“LightYear Docs” or “LYD”) will respond to a data breach, in adherence to the Privacy Act 1988. It is LightYear Docs’ belief that clear roles, responsibilities and procedures will serve as the foundation of a comprehensive privacy program.
This policy outlines:
All LightYear Docs employees, officers, representatives, or advisers (‘Employees’) are required to understand and act in accordance with this policy.
A data breach occurs when personal information or intellectual property held by LightYear Docs is subject to unauthorised access, disclosure, modification, or is lost. Data breaches can occur in a number of ways, including but not limited to:
Specific to LightYear Docs’ business, the following have been identified as possible data breach sources:
All LightYear Docs Employees who are aware of, informed of, or suspect a data breach must inform their IT team immediately. The IT team must then assess the suspected breach to determine whether or not a breach has in fact occurred. If a data breach has, in fact, occurred, then the IT team will manage the breach according to the steps outlined in the Data Breach Response Plan.
In accordance with OAIC recommendations, the following steps will be taken in response to a verified Data Breach;
Under the Notifiable Data Breach Scheme, LightYear Docs is obliged to report data breaches that satisfy the following criteria:
For further information on how to assess a notifiable data breach, LightYear Docs must refer to the OAIC’s APP guidelines.
Where LightYear Docs suspects that an eligible breach has occurred, it must carry out a reasonable and expeditious assessment of the breach: s 26WH(2)(a) of the Privacy Act. Where possible, the assessment must be completed within 30 days of LightYear Docs becoming aware of information that causes it to suspect that an eligible breach has occurred. If LightYear Docs is unable to complete the assessment within 30 days, a written document must be written which addresses:
Where an Eligible Breach has occurred, LightYear Docs must inform affected users AND the Privacy Commissioner. LightYear Docs is allowed to disclose eligible breaches to users in either of the following ways:
Disclosure of eligible breaches to the Privacy Commissioner may be done by online form.
For more information on disclosing Eligible Breaches under the Notifiable Data Breach Scheme, please refer to the OAIC’s webpage on the topic.
LightYear Docs reserves the right to monitor Employees’ use, access and modification of the company’s data, and initialise an investigation if cases where an employee conducts an action that is in breach of this policy.
All Employees should handle LightYear Docs’ data with due diligence in accordance with this policy and any related policies. If an employee’s action or omission that is prohibited under this policy causes a disruption of integrity to the data system or leads to a breach defined in the Privacy Act, the employee may face severe disciplinary action up to and including termination at the discretion of LightYear Docs.