We’re hearing the phrase ‘Data breach’ more often these days. Usually it’s in the media reporting on organisations who leak personal information about individuals that they have collected. This might be inadvertently or the result of an attack. The question of the day is: does YOUR business have a plan for what it would do in response to a data breach?
A data breach can severely harm your reputation and can have adverse impacts on your bottom line. Some businesses have even had to shut their doors after a data breach, as consumers will quickly lose trust in you if you fail to keep their personal information private.
However, given the speed at which technology has been advancing, it’s no surprise that businesses sometimes struggle to keep up with privacy threats that new technologies pose.
The Privacy Act 1988 (Cth) (Privacy Act) has undergone major reform to keep up with changes in technology. It now contains 13 Australian Privacy Principles (APPs). These APPs impose obligations on businesses like yours and how you deal with personal information.
To supplement the Privacy Act, the Notifiable Data Breaches Scheme (NDBS) was introduced in 2018. This obliges you to report an ‘eligible data breach’ to the affected individual and to the Office of the Australian Information Commission (OAIC).
The APPs impose obligations on entities to comply with the NDBS. In particular:
- APP 1 requires entities to take ‘reasonable steps’ to establish systems that ensure their compliance with the APPs; and
- APP 11 requires an entity to take ‘reasonable steps’ to protect the personal information it holds.
To help you comply, the OAIC has released guidelines that outline how to prepare a Data Breach Response Plan (DBRP).
The DBRP is a proactive, documented plan to identify and explain how you will respond to a data breach. Whilst a DBRP is not mandatory under the Privacy Act, it may be a ‘reasonable step’ you can take to ensure compliance with APP 1 and APP 11. It also sets out a clear procedure for employees to follow in the event of a data breach.
A DBRP can mitigate the harm to an organisation if a data breach was to occur. It allows you to quickly respond to a data breach and take appropriate remedial action to limit the scope and detriment caused either to the individual or the organisation. It can also contribute to building public trust and help you meet your obligations under the Privacy Act.
There is no prescribed form for a DBRP. Each DBRP must be adapted to the unique circumstances of your business. However, the OAIC has provided recommendations on what a DBRP should cover, including:
- Identification: Of what a ‘data breach’ is.
- Strategy: For dealing with a data breach, with the following steps:
- Contain: Outline the immediate action to be taken.
- Assess: Consider the scope of the breach and what next steps are appropriate.
- Notify: If it is an ‘eligible data breach’ notification must be given in accordance with legislative requirements.
- Review: To determine what caused the breach and to implement procedures to prevent it from recurring.
- Staff: Roles and responsibilities when a data breach occurs.
- Documentation: And record keeping procedures to record all data breaches.
- Review: Procedures to analyse the response of staff and to prevent the data breach from recurring.
It is important for all entities subject to the Privacy Act to have a clear DBRP in place to prevent the significant harm and fines that can result from a data breach.
If this applies to your organisation, please talk to PBL Law Group about drafting a DBRP.