If your business has responsibilities under the Privacy Act then, as specified by the Notifiable Data Breaches (NDB) scheme, you must notify individuals and the OAIC (Office of the Australian Information Commissioner) when a data breach occurs.
An organisation will have obligations under the Privacy Act if it is an Australian government agency, has an annual turnover of more than $3 million, or falls into one of these exceptions.
As such, you need to be prepared in case a data breach occurs in your business.
It is important to have a Data Breach Response Plan to make sure that you fulfil your obligations to the individuals you’ve collected data from, and to the OAIC.
What Are Data Breaches?
A data breach happens when an individual’s personal information is lost by an organisation or is subjected to unauthorised access.
There are many different scenarios in which a data breach can occur. They could be:
- If your customers’ personal information is stored on a device, and this device goes missing or gets stolen
- If you have a database with your customer’s information that gets hacked
- If personal information accidentally gets given or relayed to the wrong person
What Is A Data Breach Response Plan?
A Data Breach Response Plan is a framework setting out the roles and responsibilities that need to be taken to manage a data breach if one were to occur.
A business’ Data Breach Response Plan needs to be a comprehensive plan in writing that ensures all staff are aware of their roles in the case of a data breach.
Your Data Breach Response Plan should be easily accessible to all your staff so that it can be retrieved on short notice.
The OAIC recommends that Data Breach Response Plans should be tested regularly to ensure that they are up-to-date and effective. How regularly testing should be conducted is based on various factors such as:
- The size of your business
- The nature of your business
- The extent to which an individual will be affected if a breach was to occur
- The nature of the information you collect (i.e. how sensitive is it?)
Why Do I Need A Data Breach Response Plan?
It’s recommended that you have a Data Breach Response Plan to make sure your business can respond to any breaches in a timely manner.
A quick response will be important in decreasing the impact of a breach on individuals, reducing the cost of handling the breach, and minimising the potential for the breach to ruin your goodwill and reputation.
Responding to data breaches in a quick and efficient manner also lets your clients know that your business takes privacy seriously.
What’s In A Data Breach Response Plan?
Your Data Breach Response Plan should address:
- What is considered a data breach: Different businesses may have different definitions of what constitutes a breach. Your plan should also include potential examples, based on the nature of your business.
- Strategies for containing, assessing and managing the data breach: The plan should include actions for your staff, address requirements under law (e.g. requirements under the NDB scheme), and outline a standard and clear way of communicating with affected individuals and businesses.
- Documents: You should detail your methods of recording incidents, as this will help demonstrate how your business remains compliant with your legal obligations.
- Review: This is to evaluate the response post-breach and to improve processes.
The OAIC has a sample checklist that is useful in formulating your own Response Plan.
Putting together a Data Breach Response Plan can seem like a daunting task, but it is crucial for businesses to have one, particularly if you have obligations under the Privacy Act.
Responding in the most efficient manner is important to maintain trust in your business, and to ensure the effect of the breach is contained.
Get in touch with us at firstname.lastname@example.org if you have any questions regarding Response Plans or your obligations under the Privacy Act.
Need legal help?
Get a free, fixed-fee quote.
We'll get back to you within 1 business day.