The new Notifiable Data Breach laws come into effect on 22 February. Outlined below are some tips to help get you up to speed.

1. Are you complying with your current obligations as set out in the Australian Privacy Principles (APPs)?

The APPs are:

APP 1 – open and transparent management of personal information

APP 2 – anonymity and pseudonymity

APP 3 – collection of solicited personal information

APP 4 – dealing with unsolicited personal information

APP 5 – notification of the collection of personal information

APP 6 – use or disclosure of personal information

APP 7 – direct marketing

APP 8 – cross-border disclosure of personal information

APP 9 – adoption, use or disclosure of government related identifiers

APP 10 – quality of personal information

APP 11 – security of personal information

APP 12 – access to personal information

APP 13 – correction of personal information

2. Review your Privacy Policy

  • Do you do what it says?
  • Does it say what you do?

  • Align what is said and done to the APP obligations above.

3. Assemble your breach team

  • Who in your organisation is responsible for privacy?
  • When a crisis hits does everyone know their role and responsibilities?

4. Create an incident assessment plan

Create an incident assessment plan to meet the 30-day legal obligation once a “suspected breach” has occurred.

  • How are incidents logged?
  • Who leads investigations?
  • What are reporting times and format?
  • Who makes the assessment?
  • Do you need external input/sign off?

Once the incident is assessed make a decision – is notification required?

5. Prepare to notify

If the assessment results in finding an eligible breach has occurred then you need to move to notify the regulator and affected individuals:

  • Where is the breach response plan?
  • What pre-planned steps are in place? eg. communication channels, messaging to different stakeholders, microsites and basic FAQs.
  • Assemble the team and execute the plan.