Automatic language translation
Our website uses an automatic service to translate our content into different languages. These translations should be used as a guide only. See our Accessibility page for further information.
As soon as you become aware of an information or data incident, your organisation must:
If a requirement stated in this policy conflicts with a provision specified in your contract with us, then the contract provision overrides that requirement.
The nature of the incident and the potential impact on DCJ clients and systems determines who and when to contact DCJ.
If your organisation identifies a cyber-attack is in progress, or has occurred in your ICT systems:
A representative of the DCJ Cyber Security team will contact your organisation and work with you to ascertain details of the incident. If necessary, you can request ICT guidance from DCJ.
DCJ will coordinate the incident and help determine if it is an eligible data breach. Your lead DCJ contract manager or a nominated DCJ coordinator will be the liaison between your organisation and our internal stakeholders.
The following contact numbers are for after hours only.
After hours contacts for NGOs operating within the following districts:
For centrally managed contracts or where impacted services are state-wide
When your organisation detects any of these types of incidents, call and email your DCJ contract manager by the next business day. If your organisation holds multiple contracts with DCJ, notify your lead DCJ contract manager.
You may also have an obligation to notify the Information and Privacy Commission NSW (IPC), or the Office of the Australian Information Commission (OAIC), under relevant state and Commonwealth privacy laws. Justice Connect, Not-for-profit Law, provides resources to help you understand your obligations.
Within 48 hours of notifying DCJ, you’re required to undertake an early investigation of the information security incident and notify your lead DCJ contract manager of the findings, in writing.
You can use the DCJ Information or data incident report (DOCX, 321.7 KB) (DOCX, 321.7 KB) to satisfy this requirement, or to help guide your organisation’s own version of the report.
Your report of the early investigation and its findings must include:
Your lead DCJ contract manager will inform DCJ internal stakeholders about the information or data incident, so that we can manage any issues and risks in consultation with your organisation’s stakeholders.
What you need to do, and the actions we take, will depend on the nature and seriousness of the incident, as well as any requirements specified in your contract with us. If you hold contracts across multiple DCJ programs, privacy and information security requirements may differ from contract to contract.
If the incident is serious and involves a cyber-attack or breach of your organisation’s ICT systems, we may have to temporarily restrict your organisation’s access to DCJ’s electronic systems.
In serious cases, DCJ may actively work with you to manage the incident. This is likely if the incident involves a cyber-attack or loss of client records due to theft, fire or flood. If other DCJ stakeholders need to contact you to obtain further information and/or to provide assistance to you, it will be done in consultation with your lead DCJ contract manager.
If client data is involved, your lead DCJ contract manager and their senior manager will work with your organisation to decide on the appropriate action to be taken. This may require further information about the personal and/or health information of clients that may have been affected.
If the incident is assessed as an eligible data breach under the MNDB Scheme, we’ll work with our DCJ information privacy team and liaise with you to inform the Privacy Commissioner and affected individuals. The Privacy Commissioner may recommend remedial actions.
Depending on the nature of the incident, we may ask you to undertake an information security assessment. If necessary, we’ll work with you to determine the most appropriate steps to take to ensure program data and client information are protected, including implementing remedial actions.
For serious incidents, we may document the remedial actions required in a formal improvement plan, which we’d work with you to develop. In less serious cases, we may agree to an informal plan of improvements to your information security, and monitor your progress at regular contract meetings.
09 May 2024