Key Points:

While the draft Guide is not legally binding, it may help businesses to develop a data breach response plan and meet both their obligations under the Privacy Act and customer expectations.

High-profile breaches have significant ramifications for businesses and how a business deals with breaches can mitigate their impact.

On 28 October 2015 the Office of the Australian Commissioner (OAIC) released the latest information protection tool in the form of a consultation draft Guide to developing a data breach response plan.

The draft Guide describes how organisations can mitigate the disruption of a breach by establishing and maintaining a clear data breach response plan.

Data breach response plans

The recently released draft Guide complements the OAIC's 2014 Data breach notification guide: A guide to handling personal information security breaches (DBN Guide), to ensure Australian businesses are well equipped to deal with a breach.

The DBN Guide provides general guidance about what data breaches are, how they occur and how they should be responded to. The new draft Guide aims to further ensure that businesses are taking preparatory steps now to mitigate the effects of a data breach, if one occurs.

While the draft Guide is not legally binding, it represents the OAIC's view on what should be considered in the development of a data breach response plan and may assist businesses to meet both obligations under the Privacy Act 1988 (Cth) and customer expectations. In particular, it may help you comply with Australian Privacy Principle 11 (APP 11), which requires reasonable steps be taken to protect personal information. Depending on the type of business, establishing and maintaining an effective data breach response plan may be an important part of the framework that addresses APP 11.

This draft Guide may also assist businesses to prepare for mandatory breach reporting requirements should they be introduced. Reporting of breaches should form part of a data breach response plan where appropriate; the draft Guide includes a link to the OAIC's to be developed data breach notification form for this purpose.

The OAIC has provided a consultation period on the draft Guide, closing on Friday 27 November 2015.

How a response plan can help

Having a response plan in place enables businesses to respond quickly and effectively in the event of a breach, which the draft Guide suggests involves:

  • identifying a data breach;
  • containing the breach and making a preliminary assessment;
  • notifying internal stakeholders and determining responsibilities;
  • appropriate escalation, including to a response team;
  • evaluating the risks for individuals associated with the breach;
  • considering notification;
  • recording the breaches; and
  • reviewing the incident and taking steps to prevent further breaches.

Response team

Having a response team will ensure that the right people are involved and that roles and responsibilities are identified and documented before the data breach occurs. This is an important part of minimising the impact of the breach as it can allow businesses to respond more quickly and effectively by immediately focusing on responding to the issue rather than first having to assemble the relevant team.

The composition of a team will depend on the business, the response plan and the nature of the breach. The draft Guide suggests that the following roles should be considered:

  • a team leader;
  • a project manager;
  • a senior member of staff that has privacy accountability or a privacy officer;
  • legal support;
  • risk management support;
  • IT support / forensics support;
  • HR support; and
  • media / communications expertise.

What to do next

The OAIC has released the Guide as a consultation draft, with a closing date for comments of Friday 27 November 2015. If you wish to make a submission to the OAIC in relation to the draft Guide you can do so by email to consultation@oaic.gov.au or by post to GPO Box 5218 Sydney NSW 2001. For more information see the consultation information page on the OAIC website.

The release of this consultation draft Guide is an opportunity to review your privacy framework and consider the OAIC's views on data breach response plans.

While still in draft, the Guide and the appendix checklist to the Guide can be used to assess existing response plans. This checklist is a useful tool to quickly check that a plan covers all the key areas.

Finally, you should review the final Guide when released by the OAIC following the consultation period.