How Queensland Rail protects your data
Queensland Rail acknowledges the significant impact that can result from not protecting an individual’s information or personal information including reputational damage, harm to physical or mental health, financial loss, identity theft, family violence and physical harm. Accordingly, where a possible data breach is identified, Queensland Rail will take steps to:
- Report and triage the data breach
- Allocate and escalate the data breach
- Contain the data breach
- Assess the risks
- Manage notifications
- Manage complaints
- Remediate the data breach
- Review for improvements
What is a data breach
A data breach occurs when information held by Queensland Rail is used, disclosed or lost on an unauthorised basis, which results in a disclosure which is inconsistent with the Information Privacy Act 2009 (Qld) (IP Act). All incidents of this kind will be treated as a data breach and dealt with under this policy.
Data breaches can result from technical issues, vulnerability in cybersecurity systems, human error, inadequate policies and training, a misunderstanding of the law, or deliberate acts. Most data breaches concern the security, use or disclosure of personal information. A data breach may occur internally at Queensland Rail, or involve the disclosure of personal information externally by Queensland Rail, or its contractors.
Queensland Rail’s commitments
We will notify the Information Commissioner and you where necessary
Queensland Rail is committed to providing responses to potential or actual data breaches in a manner that is timely, consistent, effective, and appropriate.
A data breach involving personal information that is likely to result in serious harm to an individual is an eligible data breach under the IP Act. Serious harm is defined in the IP Act as serious physical, psychological, emotional, financial, or reputational harm to the individual. Queensland Rail is required to notify the Queensland Information Commissioner (Information Commissioner) and affected individuals when Queensland Rail knows, or reasonably suspects, that an eligible data breach has occurred, unless an exemption applies.
We will undertake an assessment in the required timeframe
Queensland Rail will undertake an assessment of the risks associated with the data breach. This will involve assessing the severity of the data breach and the likelihood that the data breach will result in serious harm to an individual. This assessment must be completed within 30 days of forming a reasonable suspicion of a data breach. Under section 49 of the IP Act, Queensland Rail can extend the timeframe required to complete the assessment, if it is satisfied that it will not be able to complete the assessment within 30 days.
How Queensland Rail manages complaints
If you believe Queensland Rail has breached its obligations under the IP Act, including failing to comply with the Queensland Privacy Principles, you can lodge a privacy complaint with Queensland Rail. Please refer to contact us below for information about how to make a complaint about a data breach, or if you need to contact us on data breaches more generally.