The new Notifiable Data Breach laws come into effect on 22 February. Outlined below are some tips to help get you up to speed.
1. Are you complying with your current obligations as set out in the Australian Privacy Principles (APPs)?
The APPs are:
APP 1 – open and transparent management of personal information
APP 2 – anonymity and pseudonymity
APP 3 – collection of solicited personal information
APP 4 – dealing with unsolicited personal information
APP 5 – notification of the collection of personal information
APP 6 – use or disclosure of personal information
APP 7 – direct marketing
APP 8 – cross-border disclosure of personal information
APP 9 – adoption, use or disclosure of government related identifiers
APP 10 – quality of personal information
APP 11 – security of personal information
APP 12 – access to personal information
APP 13 – correction of personal information
- Do you do what it says?
Does it say what you do?
- Align what is said and done to the APP obligations above.
3. Assemble your breach team
- Who in your organisation is responsible for privacy?
- When a crisis hits does everyone know their role and responsibilities?
4. Create an incident assessment plan
Create an incident assessment plan to meet the 30-day legal obligation once a “suspected breach” has occurred.
- How are incidents logged?
- Who leads investigations?
- What are reporting times and format?
- Who makes the assessment?
- Do you need external input/sign off?
Once the incident is assessed make a decision – is notification required?
5. Prepare to notify
If the assessment results in finding an eligible breach has occurred then you need to move to notify the regulator and affected individuals:
- Where is the breach response plan?
- What pre-planned steps are in place? eg. communication channels, messaging to different stakeholders, microsites and basic FAQs.
- Assemble the team and execute the plan.