1. Policy statement

Unitywater will:

  • Protect the privacy of individuals whose Personal Information Unitywater holds.
  • Minimise harm arising from unauthorised access, disclosure, loss, or misuse of Personal Information.
  • Ensure all privacy data breaches are promptly identified, assessed, and managed in alignment with Unitywater’s Privacy Data Breach Response Procedure and Cyber Incident Response Plan.
  • Assess all suspected privacy data breaches to determine whether they meet the threshold of an eligible data breach under the Information Privacy Act 2009 (Qld), including consideration of whether the breach is reasonably likely to result in serious harm to an individual.
  • Notify affected individuals and relevant regulators only where a privacy data breach is confirmed to be an eligible data breach, in accordance with legislative and regulatory obligations, unless an exception applies.
  • Continuously improve the protection of Personal Information by learning from incidents and strengthening controls.

Unitywater will identify, assess, manage, and notify privacy data breaches in accordance with applicable legislative and regulatory requirements, including the Information Privacy Act 2009 (Qld) (IP Act), the Mandatory Notification Data Breach (MNDB) Scheme administered by the Office of the Information Commissioner (OIC), the Human Rights Act 2019 (Qld), and the Queensland Government, Information and Cyber Security Policy (IS18:2025).

This policy establishes a mandatory, consistent, and auditable framework for the identification, containment, assessment, decision-making, and notification of privacy data breaches. It ensures that:

  • Privacy data breaches are managed in a timely and effective manner.
  • Risks of serious harm to individuals are appropriately assessed and mitigated. 
  • Eligible data breaches are identified and notified in accordance with statutory obligations.
  • Unitywater maintains evidence of compliance and continuous improvement.

This policy applies to all Privacy Data Breaches involving Personal Information held by or on behalf of Unitywater, regardless of format, location, or storage medium. This includes Personal Information processed or managed through:

  • Unitywater systems, applications, and physical records. 
  • Third-party service providers and contractors engaged by Unitywater. 
  • Cloud-hosted environments, software-as-a-service platforms, and other outsourced processing arrangements. 
  • All stages of the information lifecycle, including collection, use, disclosure, storage, transmission, and disposal. 

This policy applies to all accidental, inadvertent, negligent, and malicious Privacy Data Breaches involving Personal Information, and applies to all Unitywater team members, contractors, and service providers insofar as they support or perform services involving Personal Information on behalf of Unitywater.

Unitywater remains responsible for Personal Information it holds, including where such information is processed on behalf of Unitywater by external service providers, or is provided to Unitywater by external organisations, regardless of the provider’s jurisdiction or contractual refusal to adopt Queensland-specific privacy legislation.

3.1 Reporting and responding to a data breach

3.1.1 Reporting a privacy data breach

Unitywater will effectively manage all Privacy data Breaches in accordance with approved governance frameworks, including the Privacy Data Breach Response Procedure and, the Cyber Incident Response Plan. The response approach aligns with guidance published by the OIC.

All team members must report suspected or actual Privacy Data Breaches immediately upon becoming aware of the incident, through approved channels to ensure appropriate oversight and governance.

3.1.2 Privacy data breach response timeframes

Unitywater will assess and respond to all suspected Privacy Data Breaches as soon as practicable.

When Unitywater becomes aware of reasonable grounds to suspect that a privacy data breach may be an Eligible Data Breach, Unitywater will:

  • Undertake a reasonable and expeditious assessment of the circumstances.
  • Complete the assessment within 30 days, in accordance with the IP Act and the MNDB scheme.

If Unitywater becomes aware that a Privacy Data Breach is an Eligible Data Breach, Unitywater will:

  • Notify the OIC as soon as practicable. 
  • Notify affected individuals as soon as practicable, unless an exception applies. 

Where remedial action is taken, Unitywater will assess whether the action has removed the likelihood of serious harm before determining whether notification is required.

All decisions, actions, and timeframes relating to assessment, remediation, and notification will be appropriately documented.

3.2 Register and recordkeeping 

3.2.1 Privacy data breach register including eligible data breaches

Unitywater will maintain a central register of all privacy data incidents, including:

  • Eligible data breaches.
  • Non-eligible data breaches.
  • Near misses and suspected incidents.

The register will capture sufficient information to support assessment, decision making, and compliance obligations including:

  • Date and nature of the incident.
  • Type and sensitivity of information affected.
  • Assessment outcomes, including serious harm considerations.
  • Notification decisions and supporting rationale.
  • Actions taken to contain, mitigate, and remediate the incident.
  • Post-incident review findings and improvement actions.

The register will be maintained as a controlled record and reviewed on a regular basis to support oversight, trend analysis, and continuous improvement.

Unitywater will maintain the capability to generate reports on eligible data breaches to support regulatory engagement, including responding to requests from the OIC or other authorised bodies.

3.2.2 Recordkeeping

All records, including evidence of assessment and notification decisions will be maintained in accordance with the Public Records Act 2023 (Qld) and internal policies, ensuring auditability and evidence of compliance.

Table 2: Definitions, abbreviations and acronyms

Term

Meaning

Affected individual

Has the same meaning as under the IP Act.

Data Breach

Has the same meaning as under the IP Act.

Eligible Data Breach

Has the same meaning as under the IP Act.

Held or hold in relation to Personal Information

Has the same meaning as under the IP Act.

IP Act

Information Privacy Act 2009 (Qld).

Personal Information

Has the same meaning as under the IP Act.

OIC

Office of the Information Commissioner Queensland.

Sensitive Information

Has the same meaning as under the IP Act.

Serious harm

Has the same meaning as under the IP Act.