1. The purpose of our procedure
This procedure outlines the steps Adelaide University must follow to identify, assess, contain, and respond to an information breach, ensuring compliance with legislative obligations and protecting the interests of our community.
Please read this procedure in conjunction with the Information Governance Policy.
2. Who our procedure applies to
2.1 Inclusions
This procedure applies to all members of the Adelaide University community.
2.2 Exclusions
This procedure does not apply to research-related breaches. For those refer to the following policy documents:
- Investigating and Managing Research Conduct Procedure
- [Research Data and Primary Materials Procedure]
This procedure authorises the Chief Data and Analytics Officer to maintain associated protocols.
3. Our information breach procedure
Our procedure follows the Office of the Australian Information Commissioner (OAIC)’s four-stage model (contain, assess, notify, review) and incorporates obligations under the State Records Act 1997 (SA), Privacy Act 1988 (Cth), Australian Privacy Principles (Office of the Australian Information Commissioner), and the Notifiable Data Breaches scheme (OAIC).
3.1 Identifying and reporting a breach
Members of the Adelaide University community are required to:
3.1.1 immediately report suspected or actual information breaches to the [Privacy Officer or IT Security Office]
3.1.2 use Adelaide University’s [Information Breach Report Form] within 24 hours of discovery
3.1.3 preserve evidence, including emails, logs, and affected records
3.1.4 lodge reports via:
- [University Service Portal]
- [privacy@adelaide.edu.au]
- [IT Security Hotline].
3.2 Containment and Initial Assessment
Upon receiving a report Governance Services must:
3.2.1 isolate affected systems and records
3.2.2 prevent further unauthorised access
3.2.3 secure physical records in accordance with the State Records Act 1997 (SA)
3.2.4 liaise with IT Services if technical controls are required (for example, network isolation).
3.3 Risk Assessment
Within 30 days, the Director, Governance Services must determine whether the breach is an eligible data breach under the NDB. Assessment considers:
3.3.1 the type and sensitivity of information (for example, health, research, financial, cultural)
3.3.2 whether information was encrypted or otherwise protected
3.3.3 the likelihood of misuse, harm, or reputational damage
3.3.4 additional ethical obligations where Aboriginal or Torres Strait Islander research data is involved AIATSIS Code of Ethics for Aboriginal and Torres Strait Islander Research.
3.4 Notification of information breach
If the breach meets the Notifiable data breaches scheme (OAIC) threshold the Director, Governance Servies must:
3.4.1 notify affected individuals directly, where practicable
3.4.2 issue a public statement on the Adelaide University website when direct notification is impracticable.
3.5 Remediation and Recovery
Following containment and notification, responsible areas must:
3.5.1 implement corrective actions to address vulnerabilities
3.5.2 provide support services to affected individuals (for example, credit monitoring, counselling)
3.5.3 apply sanctions or corrective measures where negligence or misconduct contributed to the breach.
3.6 Review and Continuous Improvement
Governance Services will:
3.6.1 conduct a post-incident review within [60 days]
3.6.2 document lessons learned in the [University Breach Register]
3.6.3 recommend updates to systems, contracts, or training programs
4. Who holds a responsibility within this procedure
4.1 The Chief Data and Analytics Officer is required to:
- oversee administration and governance of this procedure
- authorise breach response protocols and notifications
- ensure integration with Information Governance Policy and [Information Governance Framework].
5. Definitions used in our procedure
Please refer to our Adelaide University glossary for a full list of our definitions.
Adelaide University community refers to a broad range of stakeholders who engage with Adelaide University and includes (but is not limited to) all students, staff, and non-staff members of Adelaide University including alumni, honorary title holders, adjuncts, visiting academics, guest lecturers, volunteers, suppliers and partners who are engaging with and contributing to the work of Adelaide University.
AIATSIS Code of Ethics means the ethical standard that guides the handling of Aboriginal and Torres Strait Islander research data.
Eligible data breach means a data breach that meets the threshold in Part IIIC of the Privacy Act 1988 (Cth), that is, one likely to result in serious harm to one or more individuals and therefore requiring notification under the Notifiable Data Breaches (NDB) scheme.
Information breach means the unauthorised access, disclosure, alteration, loss, or misuse of Adelaide University information, whether digital or physical.
Notifiable Data Breaches (NDB) scheme means the regime under Part IIIC of the Privacy Act 1988 (Cth) that requires entities to notify the OAIC and affected individuals as soon as practicable when an eligible data breach occurs.
Record means information created, received or kept by Adelaide University in the conduct of its activities (including teaching, research and administration) and retained as evidence of those activities, regardless of format, medium or location, as defined in the State Records Act 1997 (SA).
6. How our procedure is governed
This procedure is categorised, approved and owned in line with the governance structure of Adelaide University and the offices and officers listed below.
| Parent policy | Information Governance Policy |
|---|---|
| Policy category | Corporate |
| Policy owner | Deputy Vice Chancellor – Corporate |
| Procedure owner | Chief Data and Analytics Officer |
| Procedure category | Corporate |
| Approving authority | Co-Vice Chancellors/Vice Chancellor and President |
| Responsible officer | Director, Information Governance |
| Effective from | 19 December 2025 |
| Review date | 6 months after date this version is approved |
| Enquiries | Interim Central Policy Unit/[Central Policy Unit] staff.policy.enquiries@adelaideuni.edu.au |
| Replaced documents | None |
7. Legislation and other documents related to our procedure
| Category | Documents |
|---|---|
| Associated procedures | [Data Management Procedure] Records Management Procedure |
| Related policy documents | [Information Governance Framework] Information Governance Policy |
| Referenced legislation | |
| Related legislation | Public Sector (Data Sharing) Act 2016 (SA) Electronic Communications Act 2000 (SA) |
| External references | Australian Privacy Principles Guidelines (Office of the Australian Information Commissioner) Notifiable data breaches | OAIC AIATSIS Code of Ethics for Aboriginal and Torres Strait Islander Research Personal Information Breach Notification (State Records SA) Information Management Standard V1.3 (State Records SA) Australian Code for the Responsible Conduct of Research 2018 | ARC NIST Cybersecurity Framework (CSF) 2.0 NIST Security and Privacy Controls for Information Systems and Organizations |
8. History of changes
| Date approved | To section/clauses | Description of change |
|---|---|---|
| 22 December 2025 | N/A | New procedure |
At the time of writing, Adelaide University’s organisational structure, position titles, and committee names have not been confirmed. Square brackets [ ] indicate placeholders for these details. Brackets are also used to identify policy elements that are subject to further decision-making or confirmation. These will be updated once final decisions are made.