Data breach policy

1. Purpose
This policy describes how Rubix Studios Pty. Ltd. will respond to a data breach in accordance with the Privacy Act 1988.
Rubix Studios Pty. Ltd. believes that clear roles, responsibilities and procedures will serve as the foundation of a comprehensive privacy program.
This policy outlines:
All Rubix Studios Pty. Ltd. employees, officers, representatives or advisers ('Employees') are required to understand and act in accordance with this policy.
Data Breach Definition
A data breach occurs when personal information or intellectual property held by Rubix Studios Pty. Ltd. is subject to unauthorised access, disclosure, modification or loss. Data breaches can occur in several ways, including but not limited to the following:
Specific to Rubix Studios Pty. Ltd.’s business, the following have been identified as possible data breach sources:
What to do if a Data Breach is Suspected?
All Rubix Studios Pty. Ltd. Employees who are aware of, informed of or suspect a data breach must inform Rubix Studios Pty. Ltd.’s IT team immediately. The IT team must then assess the suspected breach to determine whether or not a breach has occurred. If a data breach has occurred, then the IT team will manage the breach according to the steps outlined in the Data Breach Management Plan.
Data Breach Response Plan
Under OAIC recommendations, the following steps will be taken in response to a verified Data Breach.
Notifiable Data Breach Scheme
Under the Notifiable Data Breach Scheme, Rubix Studios Pty. Ltd. is obliged to report data breaches that satisfy the following criteria:
For further information on how to assess a notifiable data breach, Rubix Studios Pty. Ltd. must refer to the OAIC’s APP guidelines.
Where Rubix Studios Pty. Ltd. suspects an eligible breach has occurred, it must conduct a reasonable and expeditious assessment of the breach: s 26WH(2)(a) of the Privacy Act. Where possible, the assessment must be completed within 30 days of Rubix Studios Pty. Ltd. becoming aware of information that causes it to suspect that an eligible breach has occurred. If Rubix Studios Pty. Ltd. is unable to complete the assessment within 30 days, a written document must be written that addresses the following:
Where an Eligible Breach has occurred, Rubix Studios Pty. Ltd. must inform affected users AND the Privacy Commissioner. Rubix Studios Pty. Ltd. is allowed to disclose eligible breaches to users in either of the following ways:
Disclosure of eligible breaches to the Privacy Commissioner may be done online.
For more information on disclosing Eligible Breaches under the Notifiable Data Breach Scheme, please refer to the OAIC’s webpage on the topic.
Disciplinary Consequences
Rubix Studios Pty. Ltd. reserves the right to monitor Employees’ use, access and modification of the company’s data and to initiate an investigation in cases where an employee conducts an action that breaches this policy.
All Employees should handle Rubix Studios Pty. Ltd.’s data with due diligence under this policy and any related policies. If an employee’s action or omission that is prohibited under this policy causes a disruption of integrity to the data system or leads to a breach defined in the Privacy Act, the employee may face severe disciplinary action up to and including termination at the discretion of Rubix Studios Pty. Ltd.
This policy is effective from 16th June 2019.
Last updated 14th March 2025.