On 11 April 2016, the Privacy Commissioner released a guide to deal with issues associated with data breaches. This is aimed at entities regulated by the Privacy Act 1988 (Cth) in order to assist them with complying with the Australian Privacy Principles.
When (and it is likely to be a matter of when and not if) your entity is subject to a data breach, whether it be through your system being hacked or if devices are lost or stolen, it is important that you are equipped to deal with it. It is important to get in front of such problems and have pre-prepared action plans given that it is likely that the first 24 hours will be the most crucial in determining your level of success in dealing with a data breach. Data breaches can be expensive, both in a monetary and reputational sense.
In the guide, the Privacy Commissioner highlighted that a written data breach response plan is an important tool to help deal with such issues. Such a plan should include:
- actions to be taken if a breach is suspected, discovered or reported by a staff member, including escalation measures;
- the members of the data breach response team; and
- the actions the team are expected to take.
Such a plan needs to be regularly reviewed and updated, with all relevant staff kept up to date so that they know what actions they are expected to take.
The Privacy Commissioner suggests the following four steps to be taken when a data breach is discovered:
- contain the breach and do a preliminary assessment;
- evaluate the risks associated with the breach;
- develop a plan for notifying affected individuals and consider what information should be in any notification; and
- determine steps to be taken to prevent future breaches.