Full calendar
Jump to:
Thoroughbred Harness Greyhound
Black book Full calendar
  1. Home
  2. Data Breach Policy
Share

Share this page

Share on a platform

Or copy the page link

DATA BREACH POLICY

Purpose and Scope

Racing Queensland (RQ) collects and holds Personal Information for the purposes of performing various obligations and business functions. This can include Sensitive Information relating to participants and other persons within the racing industry.

This policy is RQ's overarching policy about how RQ will respond to Data Breaches and Suspected Data Breaches of RQ.  All RQ Workers have a responsibility to comply with this policy. and to uphold confidentiality and protect the information provided to them by the public.  

To assist RQ Workers with practical steps for responding to Data Breaches and Suspected Data Breaches of RQ, RQ has a Data Breach Response Plan.


Definitions

termdefinition

Affected Individual

means an “affected individual” under section 47(1)(ii) of the IP Act.

Data Breach

of RQ, means either of the following in relation to information held by RQ:

(a) unauthorised access to, or unauthorised disclosure of, the information;

(b) the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur.

Data Breach Response Plan

means a specific plan for the Data Breach Response Team to follow in the event of a Data Breach or Suspected Data Breach.

Data Breach Response Team

means a team of RQ employees, consisting of the Senior ICT Manager, Privacy Officer and the manager of the business unit where the Data Breach occurred.

Eligible Data Breach

of RQ means where:

(a) there has been unauthorised access to, or unauthorised disclosure of personal information held by RQ, and

(b) the access or disclosure is likely to result in serious harm to any of the individuals to whom the information relates

or where

(a) there has been loss of personal information held by an agency that is likely to result in unauthorised access to, or unauthorised disclosure of the personal information, and

(b) the loss is likely to result in serious harm to any of the individuals to whom the information relates.

held or hold 

in relation to RQ and Personal Information, means that the Personal Information is contained in a document in the possession, or under the control, of RQ.

IP Act

means the Information Privacy Act 2009 (Qld).

IPOLA

means the Information Privacy and Other Legislation Amendment Act 2023 (Qld).

MNDB Scheme

means the Mandatory Notification of Data Breach Scheme, established by the IPOLA under the IP Act.

OIC

Office of the Information Commissioner Queensland

Personal Information

means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.

RQ Worker

means an employee or contractor of RQ.

Sensitive Information

for an individual, means the following:

  • information or an opinion about an individual’s:
    • racial or ethnic origin; or
    • political opinions; or
    • membership of a political association; or
    • religious beliefs or affiliations; or
    • philosophical beliefs; or
    • membership of a professional or trade association; or
    • membership of a trade union; or
    • sexual orientation or practices; or
    • criminal record;
  • health information about the individual;
  • genetic information about the individual that is not otherwise health information;
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
  • biometric templates

Serious Harm

serious harm, to an individual in relation to the unauthorised access or unauthorised disclosure of the individual’s Personal Information, includes, for example:

  1. serious physical, psychological, emotional or financial harm to the individual because of the access or disclosure; or
  2. serious harm to the individual’s reputation because of the access or disclosure.

Suspected Data Breach

means a Data Breach of RQ which RQ knows, or has reason to suspect, is a Data Breach of RQ.


Roles and responsibilities

The following is a summary of those, at RQ, who have responsibilities in relation to Data Breaches and Suspected Data Breaches.

ROLERESPONSIBILITY

RQ Worker 

  • Read this Data Breach Policy and the Data Breach Response Plan and understand what is expected of them. 
  • Comply with the IP Act, including protecting Personal Information held by RQ from unauthorised access, disclosure or loss. 
  • Where required in accordance with this Data Breach Policy, immediately report a Data Breach or Suspected Data Breach to their manager and the Senior ICT Manager.
  • Respond to requests for information from and cooperate with the Privacy Officer and/or the Data Breach Response Team. 
  • Comply with record keeping obligations.

Privacy Officer

  • Assess the severity of a Data Breach or Suspected Data Breach involving Personal Information and the likelihood that a breach will result in Serious Harm to an individual to whom the information involved relates.
  • Convene the Data Breach Response Team, where Data Breaches or Suspected Data Breaches may involve Serious Harm.
  • Assist in the containment, mitigation, assessment, notification and other management of Data Breaches and Suspected Data Breaches.
  • Overseeing recordkeeping which documents RQ’s management and responses to Data Breaches and Suspected Data Breaches.
  • Maintain the Register of Eligible Data Breaches. 
  • Maintain and update this Policy.

Manager

  • Identify and escalate concerns within area of responsibility which may enliven the requirements of this Data Breach Policy.
  • Immediately report a Data Breach or Suspected Data Breach to the Senior ICT Manager and the Privacy Officer.
  • Assist the Senior ICT Manager and the Privacy Officer with the assessment and containment of the Data Breach or Suspected Data Breach, where required.

Senior Management 

 

  • Convene the Data Breach Response Team if not already convened by the Privacy Officer.
  • Determine whether a Data Breach is an Eligible Data Breach.
  • Where relevant, notify the OIC, Affected Individuals and others where required.

Data Breach Response Team 

  • Generally manage Data Breaches and Suspected Data Breaches escalated to this team, including 
    1. maintaining and mitigating the Data Breach or Suspected Data Breach to minimise any further risks of harm;
    2. assessing whether any Data Breach or Suspected Data Breach is an Eligible Data Breach; and
    3. ensuring all notifications are made, including to the OIC, Affected Individuals and others considered to be appropriate (such as the Minister for Racing and the Queensland Government Cyber Security Unit).
  • Implement RQ’s Information Security Guideline and related procedures if the Data Breach or Suspected Data Breach is also a cyber security incident. 

Responding to a Data Breach

All RQ Workers have a responsibility to report a Data Breach or a Suspected Data Breach.

It is RQ’s policy that responding to a Data Breach or Suspected Data Breach involves the following steps and that these steps be implemented in accordance with the Data Breach Response Plan.

Step 1: Preparation

So as to be prepared for appropriate management of Data Breaches and Suspected Data Breaches, RQ requires all RQ employees to undertake training about privacy awareness and data breach management.  This occurs annually for all staff.

Step 2: Identification

Where an RQ Worker becomes aware of a Data Breach or suspects that a Data Breach may have occurred, RQ requires it to immediately report the breach or suspected breach to their manager and the Senior ICT Manager.

The RQ Worker is to give as much information as possible when reporting the matter, including:

  • The date when it occurred;
  • How it occurred;
  • The type of Data Breach or Suspected Data Breach that occurred, i.e. unauthorised disclosure or unauthorised access;
  • The type of information that has or may have been accessed/disclosed, such as Personal information; and
  • If known, any Affected Individuals.

Step 3: Containment and Mitigation  

It is RQ’s policy that, immediately, and on a continuing basis, all reasonable steps be taken to contain and mitigate a Data Breach to limit any further risk and exposure, including:

  • Recovering or retrieving lost data that contains Personal Information;
  • Suspending activities that led to the relevant circumstances;
  • Securing, restricting access or shutting down to relevant systems; and
  • Revoking or changing access codes or passwords.

The containment and mitigation strategies to be utilised by RQ will depend on the severity of the Data Breach, which will be informed by an initial assessment of the breach and any risks that it poses, such as the nature and sensitivity of the information, the amount of information and potential number of Affected Individuals and the seriousness of any harm.

RQ’s policy is that appropriately experienced third parties be engaged, where appropriate, to assist with containment and mitigation of Data Breaches or Suspected Data Breaches which may pose a high risk.

Step 4:  Assessment 

RQ's policy is the Data Breach Response Team be convened where a Data Breach or Suspected Data Breach may be an Eligible Data Breach.

The Data Breach Response Plan sets out key criteria for the Data Breach Response Team to consider when assessing the seriousness of harms in connection with an assessment of a possible Eligible Data Breach, including:

  • the kind of Personal Information accessed, disclosed or lost;
  • the sensitivity of the Personal Information;
  • whether the Personal Information is protected by 1 or more security measures;
  • if the Personal Information is protected by 1 or more security measures, the likelihood that any of those security measures could be overcome;
  • the persons, or the kinds of persons, who have obtained, or who could obtain, the Personal Information;
  • the nature of the harm likely to result from the Data Breach; and
  • any other relevant matter, such as the effectiveness of the steps taken to control the Data Breach, whether the Data Breach has affected another agency and whether there any vulnerabilities of the Affected Individuals (e.g. children).

RQ is to take all reasonable steps to ensure that this assessment is completed within 30 days of RQ becoming aware of the Data Breach.

Step 5: Notification

If RQ determines that the Data Breach is an Eligible Data Breach or reasonably suspects that the Data Breach is an Eligible Data Breach, and unless an exemption applies, RQ is to notify:

  • The Office of the Information Commissioner Queensland; and
  • Affected Individual(s).

An exemption may apply to the notification requirements contained in the IP Act in situations where notification may cause a serious risk of harm to the individuals health or safety, the notification would likely prejudice an investigation or court proceedings, or RQ has taken steps to contain the Data Breach and eliminate the likelihood of Serious Harm.

Notifications to Affected Individuals are to include:

  • RQ’s name;
  • RQ’s contact details for the individual to contact;
  • The date the Data Breach occurred;
  • A description of the Data Breach, including the type of Data Breach;
  • Information about how the Data Breach occurred;
  • A description of the Personal Information the subject of the Data Breach;
  • RQ’s recommendations about the steps the individual should take in response to the Data Breach;
  • The period during which access or disclosure was made or available;
  • The steps RQ has taken or will take to contain and mitigate the Data Breach; and
  • Information about how the individual may make a privacy complaint.

Depending on the circumstances and severity of the Data Breach, RQ may also notify:

  • The Minister for Racing;
  • The Queensland Government Cyber Security Unit (CSU);
  • Law enforcement agencies; and
  • Any other agency affected by the Data Breach.

Step 6: Review and Remediation 

Within a reasonable time following an Eligible Data Breach, the Data Breach Response Team is to oversee a review of the circumstances that lead to the Eligible Data Breach to determine learnings from the relevant incident and what (if any) measures can be taken to prevent the risks of a similar incident happening again.

Such measures may include updating internal policy and procedure documents (RQ’s Information Security Guideline, Privacy Policy and/or the Data Breach Response Plan), reviewing and changing IT systems and security and further training for RQ Workers.


Data Breach Register

RQ has established and will maintain an internal register that details all Eligible Data Breaches of RQ.


Record-keeping

RQ has processes for documenting the management and response to Data Breaches and Suspected Data Breaches, which includes preparation of a memorandum that details RQ’s analysis of the Data Breach to determine whether it is an Eligible Data Breach.  


Related Legislation and Policies

RQ has a Privacy Policy.   A copy of it is available at this link: Privacy Policy or can be requested from the Privacy Officer whose contact details are below.

Individuals have the right to access and correct their Personal information held by RQ.  This is under the Right to Information Act 2009 (Qld).   For information about this, the Privacy Officer, whose contact details are below, may be contacted.


Further Information and Contacts

For further information about this policy, to report a Data Breach or Suspected Data Breach or for any privacy-related questions generally, please contact:

Privacy Officer
 Racing Queensland
 PO Box 63
 DEAGON QLD 4017

Phone: (07) 3869 9777

Email: rti@racingqueensland.com.au

 

The Office of the Information Commissioner Queensland also has contact details.:

Telephone: (07) 3234 7373 or 1800 642 753

Email: enquiries@oic.qld.gov.au

Postal address: PO Box 10143, Adelaide Street Brisbane  Q  4000

 

Published July 1, 2025

Injune Race Club

Thangool Race Club Inc

Atherton Turf Club

Sunshine Coast Turf Club

Boulia Turf Club

Barcoo Amateur Race Club Inc

Talwood Race Club

Mt Garnet Amateur Turf Club

Miles & District Amateur Picnic Race Club

Gold Coast Turf Club

Dalby Amateur Picnic Race Club

Pentland Race Club

Quilpie Diggers' Race Club

Maranoa Diggers' Race Club

Maxwelton Race Club

Stanthorpe Jockey Club