EduNomicon Notifiable Data Breach Response Policy

Effective date: 18 May 2026
Last updated: 18 May 2026
Version: 1.0
Applies to: Australian customers and authorized users

1. Purpose

1.1 This Notifiable Data Breach Response Policy sets out how EduNomicon will identify, assess, contain, respond to, review and, where required, notify affected parties about suspected or confirmed data breaches involving personal information handled by EduNomicon.

1.2 This policy is intended to support compliance with applicable privacy obligations, including the Privacy Act 1988 (Cth), the Australian Privacy Principles and the Notifiable Data Breaches scheme where they apply.

1.3 This policy is also intended to support prompt, proportionate and documented response to privacy and security incidents affecting customer data, student-level data, authorized users, platform records or other personal information handled through EduNomicon.

2. Scope

2.1 This policy applies to suspected or confirmed incidents involving personal information handled by EduNomicon, including customer data, student-level data, account information, support records, audit logs, model metadata, reports, exports and platform records.

2.2 This policy applies to EduNomicon personnel, contractors, administrators, support providers and any other person authorised to access EduNomicon systems or customer data.

2.3 This policy also sets expectations for customers and authorised users where they become aware of suspected unauthorised access, inappropriate uploads, misuse, data leakage, disclosure, loss or other privacy or security incidents involving EduNomicon.

2.4 This policy should be read together with the EduNomicon Privacy Policy, Terms of Service, Security Policy, Customer Agreement and any applicable data handling or support arrangements.

3. What is a Data Breach?

3.1 A data breach occurs when personal information held by or on behalf of EduNomicon is:

(a) accessed by an unauthorized person;

(b) disclosed to an unauthorized person;

(c) lost in circumstances where unauthorized access or disclosure is likely; or

(d) otherwise handled in a way that may compromise privacy, confidentiality, security or lawful use.

3.2 Examples may include:

(a) unauthorised login to an EduNomicon account;

(b) accidental disclosure of customer data to the wrong customer or user;

(c) upload of prohibited or high-risk personal information outside an approved arrangement;

(d) loss, theft or compromise of credentials, access tokens, keys or administrative accounts;

(e) unauthorised access to cloud storage, logs, model records, reports or exports;

(f) misconfigured access controls allowing cross-tenant access;

(g) malware, ransomware, phishing or compromise of infrastructure;

(h) accidental email disclosure of personal information;

(i) inappropriate export, download or sharing of student-level data; or

(j) suspected compromise of a third-party service provider that handles EduNomicon-related information.

4. What is an Eligible Data Breach?

4.1 A data breach may be an eligible data breach under the Notifiable Data Breaches scheme if:

(a) there has been unauthorized access to, unauthorized disclosure of, or loss of personal information;

(b) the incident is likely to result in serious harm to one or more individuals; and

(c) EduNomicon or another responsible entity has not been able to prevent the likely risk of serious harm through remedial action.

4.2 Serious harm may include physical, psychological, emotional, financial, reputational or other serious harm, depending on the nature of the information and the circumstances of the breach.

4.3 Not every data breach is notifiable. EduNomicon will assess suspected breaches promptly and proportionately to determine whether notification is required by law, contract or applicable agreement.

5. Breach Response Principles

5.1 EduNomicon will respond to suspected or confirmed data breaches in a way that is prompt, calm, documented, proportionate and focused on reducing harm.

5.2 EduNomicon’s breach response will generally follow four stages:

(a) contain the incident;

(b) assess the incident;

(c) notify affected parties where required; and

(d) review the incident and improve controls.

5.3 These stages may occur at the same time where appropriate, particularly where urgent containment, customer notification or individual notification is needed to reduce risk.

5.4 EduNomicon will preserve relevant evidence where reasonably necessary to understand the incident, support remediation, meet legal obligations, assist customers and improve future controls.

6. Breach Response Roles

6.1 The EduNomicon Breach Response Lead is responsible for coordinating the initial response, recording decisions, managing customer communication and determining whether external assistance is required.

6.2 The Technical Response Lead is responsible for technical containment, system review, access review, log review, infrastructure remediation, credential resets and technical evidence preservation.

6.3 The Privacy Response Lead is responsible for assessing privacy risk, coordinating legal or privacy advice where required, preparing customer notifications and assessing whether OAIC or affected individual notification may be required.

6.4 In a small-provider context, one person may perform more than one role, but the required responsibilities must still be addressed.

6.5 EduNomicon may involve external advisers, insurers, legal advisers, privacy consultants, cybersecurity specialists, cloud providers or affected customers where reasonably necessary.

7. Initial Reporting and Escalation

7.1 EduNomicon personnel, contractors, customers and authorized users must promptly report suspected data breaches or security incidents to EduNomicon.

7.2 Reports should include, where known:

(a) what happened;

(b) when it happened;

(c) who discovered it;

(d) what information may be affected;

(e) which customer, tenant, user, dataset, model, report or system may be affected;

(f) whether the incident is ongoing;

(g) what immediate steps have already been taken; and

(h) any screenshots, logs, error messages or supporting information.

7.3 Suspected incidents involving student-level data, customer production data, administrator credentials, cross-tenant access, cloud infrastructure, prohibited data, or unauthorized exports must be treated as urgent.

8. Containment

8.1 EduNomicon will take reasonable steps to contain a suspected or confirmed data breach as soon as practicable.

8.2 Containment steps may include:

(a) disabling affected accounts;

(b) resetting passwords, access tokens, API keys or credentials;

(c) revoking sessions;

(d) restricting access to affected datasets, models, reports or exports;

(e) disabling affected features or integrations;

(f) isolating affected infrastructure;

(g) correcting access control or configuration issues;

(h) blocking further uploads, downloads or exports;

(i) preserving logs and evidence;

(j) contacting affected customers, service providers or advisers; and

(k) taking other reasonable steps to reduce the risk of further unauthorized access, disclosure, loss or harm.

9. Assessment

9.1 EduNomicon will assess suspected data breaches promptly and will take reasonable steps to complete any required assessment within the period required by applicable law.

9.2 The assessment may consider:

(a) the type and sensitivity of information involved;

(b) whether student-level data or children’s personal information is involved;

(c) whether sensitive, health, wellbeing, disability, legal, financial, government identifier or other high-risk information is involved;

(d) whether the information was encrypted, pseudonymised, de-identified or otherwise protected;

(e) whether credentials, keys or access controls were compromised;

(f) who accessed or may have accessed the information;

(g) whether the information was disclosed, copied, downloaded, exported, altered, deleted or misused;

(h) whether the breach is contained;

(i) whether remedial action has removed or reduced the risk of serious harm;

(j) the likely harm to affected individuals;

(k) whether notification to the customer, affected individuals, OAIC, insurers, regulators, cloud providers, law enforcement or other parties is required or appropriate; and

(l) any contractual, legal, school governance, child safety or customer notification obligations.

9.3 EduNomicon will document the assessment, including key facts, risk factors, decisions, actions taken, notifications made and reasons for the final assessment.

10. Notification

10.1 Where EduNomicon determines that notification is required by law, contract or applicable agreement, EduNomicon will take reasonable steps to notify the relevant parties.

10.2 Notification may be made to:

(a) affected customers;

(b) affected individuals, where required or appropriate;

(c) the Office of the Australian Information Commissioner, where required;

(d) relevant regulators, insurers, advisers, law enforcement agencies or government bodies, where required or appropriate;

(e) affected third-party service providers; and

(f) other parties where reasonably necessary to reduce harm or comply with obligations.

10.3 A notification may include, where appropriate:

(a) EduNomicon’s name and contact details;

(b) a description of the data breach;

(c) the kinds of information involved;

(d) the date or estimated date of the breach;

(e) the affected customer, tenant, dataset, system or service, where appropriate;

(f) steps EduNomicon has taken or is taking;

(g) recommended steps affected parties may take to reduce risk;

(h) whether further updates will be provided; and

(i) contact details for further questions.

10.4 Where a breach involves information controlled by a customer, EduNomicon may coordinate with that customer to determine the appropriate notification approach.

10.5 Where multiple entities are involved, EduNomicon may coordinate notification with the relevant customer, service provider or other entity to avoid duplication and ensure affected individuals receive clear information.

11. Customer Responsibilities

11.1 Customers must promptly notify EduNomicon if they become aware of suspected unauthorised access, inappropriate uploads, misuse, data leakage, disclosure, loss or other incidents involving EduNomicon.

11.2 Customers must cooperate with reasonable containment, investigation, assessment, notification and remediation steps.

11.3 Customers remain responsible for their own internal privacy, security, child safety, records management and data breach obligations.

11.4 Where the customer is best placed to notify affected individuals, such as students, parents, guardians or staff, EduNomicon may work with the customer to support notification where appropriate.

12. Review and Improvement

12.1 After a data breach or suspected data breach, EduNomicon will review the incident and consider whether improvements are required.

12.2 Review may include:

(a) root cause analysis;

(b) access control review;

(c) infrastructure or configuration review;

(d) upload control review;

(e) logging and monitoring review;

(f) staff or contractor training;

(g) policy or process updates;

(h) customer guidance updates;

(i) changes to security controls; and

(j) changes to contractual or governance arrangements.

12.3 EduNomicon will retain breach records for a reasonable period for audit, compliance, security, insurance, legal, dispute resolution and platform integrity purposes.

13. Contact

13.1 Suspected data breaches, privacy incidents or security incidents should be reported to:

Privacy: privacy@educode.com.au

Security: security@educode.com.au

Support: support@educode.com.au

13.2 Urgent security or privacy incidents should be marked as urgent and include sufficient detail to allow EduNomicon to assess and respond promptly.