The OAIC has issued a consultation draft of its Guide to developing a data breach response plan.
Under the Privacy Act 1988 (Cth) organisations, agencies, credit reporting bodies, credit providers and tax file number recipients have obligations to take reasonable steps to protect the personal information that they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. One of those reasonable steps may include the preparation and implementation of a data breach response plan.
The OAIC notes that actions in the first 24 hours after discovering a data breach are often crucial to the success of your response. A quick response can substantially decrease the impact on the affected individuals.
A data breach response plan is one tool to manage a data breach. It is a framework which sets out the roles and responsibilities for managing an appropriate response to a data breach.
It includes:
- the actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the response team;
- the members of your data breach response team;
- the actions the response team is expected to take.
The plan should also clearly identify those actions that are legislative or contractual requirements
The Guide recommends organisations have a strategy to identify and address any weaknesses in data handling that contributed to the breach.
The Guide contains a data breach response plan quick checklist.