If your business has responsibilities under the Privacy Act then, as specified by the Notifiable Data Breaches (NDB) scheme, you must notify individuals and the OAIC (Office of the Australian Information Commissioner) when a data breach occurs. 

An organisation will have obligations under the Privacy Act if it is an Australian government agency, has an annual turnover of more than $3 million, or falls into one of these exceptions

As such, you need to be prepared in case a data breach occurs in your business.

It is important to have a Data Breach Response Plan to make sure that you fulfil your obligations to the individuals you’ve collected data from, and to the OAIC. 

What Are Data Breaches?

A data breach happens when an individual’s personal information is lost by an organisation or is subjected to unauthorised access. 

There are many different scenarios in which a data breach can occur. They could be: 

  • If your customers’ personal information is stored on a device, and this device goes missing or gets stolen
  • If you have a database with your customer’s information that gets hacked
  • If personal information accidentally gets given or relayed to the wrong person

What Is A Data Breach Response Plan? 

A Data Breach Response Plan is a framework setting out the roles and responsibilities that need to be taken to manage a data breach if one were to occur. 

A business’ Data Breach Response Plan needs to be a comprehensive plan in writing that ensures all staff are aware of their roles in the case of a data breach. 

Your Data Breach Response Plan should be easily accessible to all your staff so that it can be retrieved on short notice. 

The OAIC recommends that Data Breach Response Plans should be tested regularly to ensure that they are up-to-date and effective. How regularly testing should be conducted is based on various factors such as: 

  • The size of your business 
  • The nature of your business 
  • The extent to which an individual will be affected if a breach was to occur
  • The nature of the information you collect (i.e. how sensitive is it?)  

Why Do I Need A Data Breach Response Plan? 

It’s recommended that you have a Data Breach Response Plan to make sure your business can respond to any breaches in a timely manner. 

A quick response will be important in decreasing the impact of a breach on individuals, reducing the cost of handling the breach, and minimising the potential for the breach to ruin your goodwill and reputation.

Responding to data breaches in a quick and efficient manner also lets your clients know that your business takes privacy seriously.

What’s In A Data Breach Response Plan?

Your Data Breach Response Plan should address: 

  • What is considered a data breach: Different businesses may have different definitions of what constitutes a breach. Your plan should also include potential examples, based on the nature of your business. 
  • Strategies for containing, assessing and managing the data breach: The plan should include actions for your staff, address requirements under law (e.g. requirements under the NDB scheme), and outline a standard and clear way of communicating with affected individuals and businesses. 
  • Documents: You should detail your methods of recording incidents, as this will help demonstrate how your business remains compliant with your legal obligations.
  • Review: This is to evaluate the response post-breach and to improve processes. 

The OAIC has a sample checklist that is useful in formulating your own Response Plan. 

Need Help?

Putting together a Data Breach Response Plan can seem like a daunting task, but it is crucial for businesses to have one, particularly if you have obligations under the Privacy Act. 

Responding in the most efficient manner is important to maintain trust in your business, and to ensure the effect of the breach is contained. 

Get in touch with us at team@sprintlaw.com.au if you have any questions regarding Response Plans or your obligations under the Privacy Act.

Abinaja Yogarajah
Abinaja is a the legal operations lead at Sprintlaw. After completing a law degree and gaining experience in the technology industry, she has developed an interest in working in the intersection of law and tech.
About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

5.0
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Services

Data Breach Response Plan

Equip yourself to deal with data breaches.
Learn More

Data Breach Notification

Make sure your business is ready to respond to a data breach.
Learn More

Phantom Share Option Plan

Set up a Phantom Share Option Plan
Learn More

Data & Privacy Lawyers

Specialist data & privacy lawyers
Learn More

Online Data & Privacy Lawyers

Get expert help from our online data & privacy lawyers
Learn More
Related Articles
Is It Legal To Have Workplace Cameras And Surveillance?
Posted 17th October, 2023
Is ChatGPT Copyright Free?
Posted 5th May, 2023
Get A Cross-Border Data Processing Agreement
Posted 16th March, 2023
Business Call Recording Laws In Australia
Posted 7th March, 2023
A Guide To The Privacy And Data Protection Act 2014 (Vic)
Posted 9th December, 2022
Australian Law Data Breaches: What You Need To Know
Posted 18th November, 2022