Procedure: Data Breach Response Plan
Background information from the Australian Government: https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/
To set out procedures to implement the mandatory notifiable data breaches scheme that applies under the Privacy Act 1988.
Data breach means unauthorised access to, or unauthorised disclosure of, personal information or a loss of personal information. Examples of a data breach are when a device containing personal information is lost or stolen, an entity’s database containing personal information is hacked or an entity mistakenly provides personal information to the wrong person.
Notifiable data breach means a data breach that is likely to result in serious harm, which must be notified to affected individuals and the Australian Information Commissioner.
Personal information means information or an opinion about an individual who is identified, or who can reasonably be identified, from the information, whether or not the information or opinion is true or recorded in a material form, and includes sensitive information; and
Sensitive information means information or an opinion that is also personal information, about a person’s racial or ethnic origin, political opinions, memberships of political, professional and trade associations and unions, religious and philosophical beliefs, sexual orientation or practises, criminal history, health information, and genetic and biometric information.
Identification of a breach
Finlert experiences data breach or a data breach is suspected: This may be discovered by a Finlert staff member, or a Finlert staff member may be alerted by another party or system.
When a Finlert staff member discovers a known or suspected data breach they should immediately notify the Finlert Privacy Officer. Please provide as much information as possible such as the time and date the known or suspected breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.
Any immediate steps available to contain the breach must be identified and implemented in discussion with the Privacy Officer. Reducing the scale and impact of a data breach can prevent the need for notification to the OAIC. All known or suspected data breaches must still be notified internally to the Finlert Privacy Officer.
Assessment of a breach
Not all data breaches are notifiable. If, after an initial investigation, the Privacy Officer suspects a notifiable data breach may have occurred, a reasonable and expeditious assessment must be undertaken to determine if the data breach is likely to result in serious harm to any individual affected.
The Finlert Privacy Officer will seek information to assess the suspected breach. In assessing a suspected breach, the Privacy Officer may require assistance and information from other areas of the company depending on the circumstances.
There will then be an evaluation of the scope and possible impact of the breach. The Privacy Officer will assess if a breach is likely to be notifiable and ensure appropriate actions including reporting to the Office of the Australian Information Commissioner (OAIC). An assessment of a known or suspected breach must be conducted expeditiously and where possible should be completed within 72 hours.
In all cases the assessment will identify what actions must be taken. These will be documented and acted upon as soon as possible.
There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
There are four key steps to consider when responding to a breach or suspected breach.
STEP 1: Contain the breach and do a preliminary assessment
STEP 2: Evaluate the risks associated with the breach
STEP 3: Notification to OAIC and affected individuals without undue delay
STEP 4: Prevent future breaches
A notifiable breach
A breach which is assessed as likely to result in serious harm to individuals whose personal information is involved, is a notifiable data breach. Such data breaches must be notified to the affected individuals and the OAIC. Notice must include information about the breach and the steps taken in response to the breach.
If Finlert has responded quickly to the breach, and as a result of this action the data breach is not likely to result in serious harm, there is no need to notify individuals or the OAIC. However Finlert may decide to tell the affected individuals about the incident if it is considered appropriate.
The risk of serious harm will be assessed by considering both the likelihood of the harm occurring and the consequences of the harm. Some of the factors that should be considered are:
The type of personal information involved in the data breach
Some kinds of personal information are more sensitive than others and could lead to serious ramifications for individuals if accessed. Information about a person’s health, documents commonly used for identity fraud (e.g. Medicare card, driver’s licence) or financial information are examples of information that could be misused if the information falls into the wrong hands.
Circumstances of the data breach
The scale and size of the breach may be relevant in determining the likelihood of serious harm. The disclosure of information relating to a large number of individuals would normally lead to an overall increased risk of at least some of those people experiencing harm. The length of time that the information has been accessible is also relevant.
Consideration must be given to who may have gained unauthorised access to information, and what their intention was (if any) in obtaining such access. It may be that there was a specific intention to use the information in a negative or malicious way.
Nature of possible harm
Consider the broad range of potential harm that could follow from a data breach including:
threat to a person’s safety
loss of business or employment opportunities and
damage to reputation (personal and professional).
Notification to the OAIC and internally within the company is the responsibility of the Privacy Officer.
Notification to individuals may be undertaken by the Privacy Officer or a company officer in the area in which the breach occurred after the Privacy Officer agrees to the action.
Notifications will follow the format identified by the OAIC in Data breach preparation and response.
A response team will be formed for a serious breach.
The Chief Executive Officer will be informed when a Response Team is established.
Breaches that are not serious
Breaches that are not assessed as serious breaches may be handled by line managers, but must be reported to the Privacy Officer.
Documentation will be stored in the Electronic Records Management System for each suspected breach.