Data Breach Policy

1. Purpose

The purpose of this policy is to outline the mandatory requirements to manage and respond to a data breach at the State Library of Western Australia and to mitigate future breaches.

2. Scope

Compliance with this policy is mandatory for all State Library staff, contractors and volunteers working at the State Library.

This policy applies to:

• all personal information collected from members of the public by the State Library for the purpose of undertaking library related activities; and
• all personal information collected and held by the State Library regarding volunteers.

This policy does not apply to:

• documents and information accessed under Freedom of Information (FOI) legislation;
• personal information contained in items from the State Library’s collection no matter how they are physically or digitally collected, stored and made available (e.g. books, magazines, newspapers, diaries, letters, photographs, oral histories); and
• personal information collected from State Library staff and members of the Library Board of Western Australia. This information is collected and managed by the Department of Local Government, Sport and Cultural Industries.

3. Context

In alignment with State Government reforms regarding personal privacy protections and the accountability of information sharing within Government, this policy seeks to formalise the State Library’s commitment to the secure handling of personal information it collects and provide clear direction as to the actions that will be taken in the unlikely event of a data breach occurring.

Through this process the State Library demonstrates its respect for individual privacy and its ability to manage any data breach in accordance with community expectations and legislation.

4. Data Breach – Definition

A data breach for the purpose of this policy occurs when there has been unauthorised access or loss of information managed by the State Library. This includes, but is not limited to:

• accidental loss or theft of data or equipment which data is stored on e.g. hard copy records, laptops and State Library issued USBs;
• unauthorised use, access or modification of data or information systems e.g. through sharing of user login details;
• unauthorised disclosure of departmental or portfolio agencies’ information or classified material e.g. email shared to an incorrect recipient or data posted onto a website;
• IT system/application/services failure; or
• online or physical attempts to gain access to State Library information held by the State Library or the Department of Local Government, Sport and Cultural Industries.

5. Policy Statement

It is the policy of the Library Board of Western Australia that:

The State Library will make every effort to protect personal information from unauthorised access, misuse, loss or disclosure.

The State Library will work towards limiting and preventing data breaches by proactively improving its information management practices.

Any serious breach of data held by the State Library will be reported to the relevant authorities and affected individuals.

6. Responsibility for this document

Manager Library Applications Support Team (development and implementation)

7. References

• DLGSC Cyber Security Incident Response Management Plan
• Office of Digital Government (W.A.) – Privacy and Responsible Information Legislation
• Responding to Data Breach Procedure

8. Authorisation and Review