Australian Privacy Regulator issues draft guide to developing a data breach response plan The OAIC has released a draft guide to assist entities to plan for dealing with data breaches. It is intended to be read with the data breach notification guide published in 2014, and should also be read in anticipation of mandatory data breach reporting coming into force in Australia in the near future. The guide is not legally binding, but provides guidance on what a good plan should address. The OAIC emphasised that implementing an appropriate data breach response plan may go some way towards meeting the Privacy Act 1988 requirement to take reasonable steps to protect any personal information an entity holds. While a data breach may contravene the Privacy Act, the guide is generally directed to breaches where personal information held by an entity is lost, accessed, disclosed or manipulated in an unauthorised manner. After outlining the reasons to maintain an effective data breach response plan, the report states that it should address actions to be taken by staff if a breach is suspected or discovered (and when to escalate actions), identify members of a data breach response team, and specify the actions the response team should take. Plans should be in writing and accessible and known to all staff. The OAIC also identified that regular reviews and testing of the plan (using hypothetical breaches) are essential to the plan's effectiveness. The guide also recommends including the following in a response plan: a strategy for assessing and containing breaches (including notes about what actions are legally required); an explanation and examples of what constitutes a data breach; reporting lines for suspected breaches; when staff can deal with it and when it should be escalated to a response team (and who decides on escalation); who is to deal with external stakeholders (such as regulators and the media); recording of data breaches; strategies for reviewing weaknesses in systems that contributed to the data breach; members of the response team and identity of the team leader; and contact points for external experts. The guide includes a useful checklist which can be used to evaluate any response plan an entity already has. The OAIC is seeking public comments on the draft guide, including what other guidance might assist entities, by 27 November 2015. For more information, please contact Anne-Marie Allgrove, Toby Patten, Matthew Dempsey or Emma Burn.