OAIC data breach response plan guide

OAIC has released a new guide to assist organisations to develop a clear Data Breach Response Plan.

The guide is not legally binding. However, organisations covered by the Privacy Act have obligations under the Act and APP11 to take reasonable steps to protect the personal information that they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. One of those reasonable steps may include the preparation and implementation of a data breach response plan.

The guide explains how actions immediately after the discovery of a breach can be crucial to the success of a response. Quick responses can also substantially decrease the impact on affected individuals and to protect consumer confidence and the reputation of an organisation.

The Guide contains this short checklist.

Data breach response plan quick checklist

Use this list to check whether your response plan addresses relevant issues.

Issue

Yes/no

Comments

How is a data breach identified?

   

Do your staff know what to do if they suspect a data breach has occurred?

   

Who is ultimately responsible for your entity’s handling of a data breach in accordance with the plan?

   

Who is on your response team?

   

Do you need to include external expertise in your response team, for example data forensics experts, privacy experts etc?

   

Do they know their roles and what to do?

   

Have you set up clear reporting lines?

   

When do you notify individuals affected by a data breach?

   

Have you considered in what circumstances law enforcement or regulators (such as the OAIC) may need to be contacted?

   

Do you have an agreed approach to responding to media inquiries, including

  • pro-active or reactive strategies?
  • agreed spokesperson?
   

What records will be kept of the breach and your management of it?

   

Does your plan refer to any strategies for identifying and addressing any weaknesses in data handling that contributed to the breach?

   

Are there any matters specific to your circumstances, for example:

  • do you have insurance policies that may apply?
  • how will you keep your staff informed?
   

How frequently is your plan tested and reviewed and who is responsible for doing so?

   

Is there a system for a post-breach review and assessment of your entity’s response to the data breach and the effectiveness of your data breach response plan?

   
 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.