Transcription of Data breach preparation and response
1 Published: February 2018. Updated: July 2019. Data breach preparation and response A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) Data breach preparation and response July 2019 2 Foreword Strong data management is integral to the operation of businesses and government agencies worldwide. Digital platforms and technologies that utilise user data to provide personalised products or services have proliferated across communities and industries. At the same time, data analysis has been widely recognised for its value as fuel for innovation that can benefit the community in unprecedented ways, including identifying gaps in services, revealing needs for new or different products, and enabling better-informed policy-making.
2 In this environment, the success of an organisation that handles personal information or a project that involves personal information depends on trust. People have to trust that their privacy is protected, and be confident that personal information will be handled in line with their expectations. As we ve found in our long-running national community attitudes to privacy survey, if an organisation does not demonstrate a commitment to privacy, people will look for alternative suppliers, products, and services. One of the biggest risks organisations face in this context is a data breach . A data breach involving personal information can put affected individuals at risk of serious harm and consequently damage an organisation s reputation as a data custodian.
3 However, it is important to recognise that consumer and community trust is not necessarily extinguished immediately after a data breach occurs. After all, history has shown us that even organisations with great information security can fall victim to a data breach , due to the rapid evolution of data security threats and the difficulty of removing the risk of human error in large and complex organisations. When a data breach occurs, a quick and effective response can have a positive impact on people s perceptions of an organisation s trustworthiness. That is why being prepared for a data breach is important for all organisations that handle personal information.
4 By an effective response to a data breach , I mean a response that successfully reduces or removes the risk of harm to individuals, and which aligns with legislative requirements and community expectations. This guide aims to assist you in developing and implementing an effective data breach response . It outlines the requirements relating to data breaches in the Privacy Act 1988 (Cth) (Privacy Act), including personal information security requirements and the mandatory data breach reporting obligations of the Notifiable Data Breaches (NDB) scheme. The guide also covers other key considerations in developing a robust data breach response strategy, including the key steps to take when a breach occurs, the capabilities of staff, and governance processes.
5 While this guide is primarily for Australian Government agencies and private sector organisations with obligations under the Privacy Act, the information provided is useful to any organisation operating in Australia. Taken holistically, the information provided in this guide provides a framework for meeting expectations for accountability and transparency in data breach prevention and management, which is key to maintaining and building consumer and community trust. Timothy Pilgrim PSM Australian Information Commissioner Australian Privacy Commissioner Data breach preparation and response July 2019 3 Contents Foreword 2 Purpose and structure of this guide 5 Who should use this guide ?
6 5 How to use this guide 5 A cautionary note 6 Part 1: Data breaches and the Australian Privacy Act 7 Key points 7 What is a data breach ? 7 Consequences of a data breach 7 The Australian Privacy Principles 8 The Notifiable Data Breaches (NDB) scheme 9 Other obligations 10 Part 2: Preparing a data breach response plan 12 Key points 12 Why do you need a data breach response plan? 12 What is a data breach response plan? 12 What should the plan cover? 13 response team membership 14 Actions the response team should take 16 Other considerations 16 Data breach response plan quick checklist 17 Part 3: Responding to data breaches Four key steps 18 Key points 18 Overview 18 Step 1: Contain 20 Step 2: Assess 20 Step 3: Notify 21 Step 4: Review 21 Part 4.
7 Notifiable Data breach (NDB) Scheme 23 Entities covered by the NDB scheme 24 Data breaches involving more than one entity 29 Identifying eligible data breaches 32 Exceptions to notification obligations 42 Assessing a suspected data breach 46 Notifying individuals about an eligible data breach 48 What to include in an eligible data breach statement 52 Australian Information Commissioner s role in the NDB scheme 55 Data breach preparation and response July 2019 4 Part 5: Other sources of information 59 Other OAIC resources 60 Cyber security resources 60 Appendix A: Key terms 61 Data breach preparation and response July 2019 5 Purpose and structure of this guide The Office of the Australian Information Commissioner (OAIC) has prepared this guide to assist Australian Government agencies and private sector organisations (entities) prepare for and respond to data breaches in line with their obligations under the Privacy Act 1988 (Cth) (Privacy Act).
8 The guide is in five parts. Part 1: Data breaches and the Australian Privacy Act This section outlines the requirements of the Privacy Act that relate to personal information security and data breach response strategy. The principles contained within the Privacy Act for the handling of personal information may be adopted by any entity to lower the risk of a data breach occurring and to effectively reduce the impact of a data breach . Part 2: Preparing a data breach response plan The faster an entity responds to a data breach , the more likely it is to effectively limit any negative consequences. A data breach response plan is essential to facilitate a swift response and ensure that any legal obligations are met following a data breach .
9 Part 3: Responding to data breaches Four key steps An effective data breach response generally follows a four-step process contain, assess, notify, and review. This section outlines key considerations for each of these steps to assist entities in preparing an effective data breach response . Part 4: Notifiable Data Breaches This section outlines the requirements of the NDB scheme under the Privacy Act. The NDB scheme contains mandatory data breach reporting obligations in relation to certain data breaches, and requirements to assess suspected data breaches. Part 5: Other sources of information The obligations of the Privacy Act in relation to data breaches co-exist with other reporting obligations.
10 This section assists entities in identifying where they can find information about other data breach reporting requirements. Who should use this guide ? Any entity that handles personal information can use this guide to inform their preparation and response strategy for a data breach . However, this guide is primarily targeted at entities that have obligations under the Privacy Act to protect personal information. These entities are required to take reasonable steps to protect the personal information that they hold, and may be required to notify affected individuals and the Australian Information Commissioner (Commissioner) of a data breach under the NDB scheme.
