Compliance & Data
Data Breach Response Plan
The purpose of the Notification Data Breach Response Plan is to set out procedures and lines of authority in the event that Notification experiences a data breach (or suspects that a data breach has occurred). This Plan is intended to enable Notification to contain, assess and respond to data breaches in a timely fashion and to mitigate potential harm to affected individuals.
What is a data breach?
For the purposes of this Plan, a data breach occurs when information held by Notification is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. In this Plan, the terms 'data' and 'information' are used interchangeably and should be taken to mean both data and information.
A data breach involves information that is 'personal information' as this term is defined in the Privacy Act 1988 (Privacy Act) (i.e. information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not, or recorded in a material form or not), it may also constitute a breach of the Privacy Act, depending on whether the circumstances giving rise to the data breach also constitute a breach of one or more of the Australian Privacy Principles (APPs) or a registered APP code.
Data breaches involving personal information likely to cause individuals to be at serious risk of harm must be reported to the affected individual(s) and the Australian Information Commissioner in accordance with the requirements of the Notifiable Data Breaches scheme introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017.
Data breaches may arise from:
• loss or unauthorised access, modification, use or disclosure or other misuse;
• malicious actions, such as theft or 'hacking';
• internal errors or failure to follow information handling policies that cause accidental loss or disclosure; and
• not adhering to the laws of the states and territories or the Commonwealth of Australia.
Responding to data breaches
When a data breach has occurred or is suspected to have occurred, Notification will initiate the following process. However, it should be noted that there is no single method of responding to a data breach and in some cases the following steps may need to be modified. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
1. Notification or a system managed by Notification experiences a data breach or a data breach is suspected: a Notification staff member may discover this, or another party or system may alert a Notification staff member.
When a Notification staff member discovers a known or suspected data breach they should immediately notify the Notification Managing Director. Complete and provide as much information in the "DATA BREACH ASSESSMENT REPORT" (see attachment A). Include the time and date the known or suspected breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.
2. Any immediate steps available to contain the breach must be identified and implemented in discussion with The Managing Director. Reducing the scale and impact of a data breach can prevent the need for notification to the Office of the Australian Information Commissioner (OAIC). All known or suspected data breaches must be notified internally to the Notification Managing Director.
Assessment of the breach
3. Not all data breaches are notifiable. If, after an initial investigation, The Managing Director, suspects a notifiable data breach may have occurred, a reasonable and expeditious assessment must be undertaken to determine if the data breach is likely to result in serious harm to any individual affected.
4. The Managing Director, will seek information to assess the suspected breach. In assessing a suspected breach, The Managing Director, may require assistance and information from other areas of the entity depending on the circumstances. For example, a suspected system breach would be investigated by our internal team or a specialist IT support or auditing company.
5. There will then be an evaluation of the scope and possible impact of the breach. The Managing Director, will assess if a breach is likely to be notifiable and ensure appropriate actions including reporting to the Office of the Australian Information Commissioner (OAIC). An assessment of a known or suspected breach must be conducted expeditiously and where possible should be completed within 30 days.
6. In all cases the assessment will identify what actions must be taken. These will be documented and acted upon as soon as possible.
7. There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
8. There are four key steps to consider when responding to a breach or suspected breach.
STEP 1: Contain the breach and do a preliminary assessment
STEP 2: Evaluate the risks associated with the breach
STEP 3: Notification to OAIC and affected clients and/or individuals
STEP 4: Prevent future breaches
A notifiable breach
9. A breach that is assessed as likely to result in serious harm to individuals whose personal information is involved is a notifiable data breach. Such data breaches must be notified to the affected individuals and the Office of the Australian Information Commissioner (OAIC). Notice must include information about the breach and the steps taken in response to the breach.
10. If the company has responded quickly to the breach, and as a result of this action the data breach is not likely to result in serious harm, there is no need to notify individuals or the Office of the Australian Information Commissioner (OAIC). However, Notification may decide to advise/tell the affected individuals about the incident if considered by Notification to be appropriate.
11. Assessment of the risk of serious harm will be considered by:
a. the likelihood of the harm occurring and;
b. the consequences of the harm.
Some of the factors that should be considered are:
The type of personal information involved in the data breach
|Some kinds of personal information are more sensitive than others and could lead to serious ramifications for individuals if accessed. Information about a person’s health, documents commonly used for identity fraud (e.g. personal address, mobile number) or financial information are examples of information that could be misused if the information falls into the wrong hands.|
Circumstances of the data breach
|The scale and size of the breach may be relevant in determining the likelihood of serious harm. The disclosure of information relating to a large number of individuals would normally lead to an overall increased risk of at least some of those people experiencing harm. The length of time that the information has been accessible is also relevant. Consideration must be given to who may have gained unauthorised access to information, and what their intention was (if any) in obtaining such access. It may be that there was a specific intention to use the information in a negative or malicious way.|
Nature of possible harm
Consider the broad range of potential harm that could follow from a data breach including:
• identity theft;
• financial loss;
• threat to a person’s safety;
• loss of business or employment opportunities, and
• damage to reputation (personal and professional).
12. Notification to the OAIC and internally within Notification is the responsibility of The Managing Director.
13. The Managing Director or nominated Notification Staff member in the area in which the breach occurred, would notify individuals after The Managing Director, agrees to the action.
14. Notifications will follow the format identified in the data breach notification by the OAIC.
15. A response team will be formed for a serious breach. This may include the appropriate Notification staff, IT support/audit company and/or legal firm.
16. Documentation will be stored for each suspected breach.
To raise a concern please use the support link at the bottom of every page of our website.