What does this cover?

On 28 October 2015 the Office of the Australian Data Protection Commissioner (the OAIC) released a draft guide titled "Guide to developing a data breach response plan - Consultation draft" (the Draft Guide). The aim of the Draft Guide is to assist companies in compiling an adequate response plan to data breach incidents.

The Draft Guide will not be binding but is indicative of the types of expectations and requirements of businesses subject to the Privacy Act 1988; which the Draft Guide has been specifically designed to be used by.  According to the Draft Guide, organisations subject to the Privacy Act 1988 include "organisations, agencies, credit reporting bodies (CRBs), credit providers and tax file number recipients. However, this guide may also be relevant to organisations not subject to the Privacy Act as a model for better privacy practice".

The Draft Guide covers the definition of a data breach; why companies need a data breach response plan and what the data breach plan should include. The Draft Guide notes the need for a dedicated response team, warning that "Time can be lost if you do not consider how to create a response team until the breach has already occurred". The response team should:

1. "contain the breach and do a preliminary assessment

2. evaluate the risks associated with the breach

3. notification

4. prevent future breaches"  

Further details on the expectations of the OAIC are outlined in the OAIC's previous publication "Data breach notification guide: A guide to handling information security breaches" publicised in August 2014.

The OAIC sought feedback on the Draft Guide by 27 November 2015.

The Draft Guide is available here.

What action could be taken to manage risks that may arise from this development?

Financial services companies should note that whilst the Draft Guide is not mandatory, financial services companies with operations in Australia should consider adopting the processes recommended by the OAIC once finalised..