Businesses need to take steps now to ensure they have adequate practices, policies and procedures in place to assess data breaches in order to meet upcoming Notifiable Data Breach requirements.

Business managers need to assess a suspected data breach as a precursor to determining if there is a Notifiable Data Breach (NDB) from February 2018.

In September 2017 the Office of the Australian Information Commissioner (OAIC) released a draft resource to assist businesses with the obligation to assess a suspected data breach.

The OAIC resource makes it very clear the obligation is not only to assess the relevant circumstances, but to have in place adequate:

  • Practices
  • Policies
  • Procedures.

An entity must take all reasonable steps to complete the assessment within 30 calendar days of becoming aware of the suspected breach. This can be contrasted to the recent Equifax breach (please click here for our recent article on the breach).

The OAIC recommends a risk based approach to the assessment and indicates that a three stage process involving the following may be appropriate.

  1. Initiate – decide if an assessment is necessary and who will be responsible
  2. Investigate
  3. Evaluate – make a decision based on the outcome of the investigation as to whether the breach is an eligible breach.

The OAIC recommends that the process be fully documented.

A key takeaway form this resource is to have a nominated person responsible for undertaking and reporting on the assessment process, and providing them with the resources to do this task, within the timeframe, in a way that will withstand scrutiny by the regulator.