A data breach occurs when personal information is lost or subjected to unauthorised access or disclosure. Information that is not, on the face of it, about an individual can be personal information if, when combined with other information, an individual is ‘reasonably identifiable’.
A data breach may be malicious, or the result of human error or a failure in information handling or security systems, and could include:
Part IIIC of the Privacy Act 1988 establishes the Notifiable Data Breach (NDB) scheme. The NDB scheme is designed to enhance accountability for privacy protection and ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm.
Under the NDB scheme, an ‘eligible data breach’ occurs where:
There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks, and using that risk assessment to decide the appropriate course of action. Depending on the nature of the breach, the Response Team may need to include additional staff or external experts, for example an IT specialist/data forensics expert or a human resources adviser.
The key steps when responding to a data breach or suspected data breach are:
Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.
If possible, the Response Team should undertake steps 1, 2 and 3 simultaneously or in quick succession. At all times, the Response Team should consider whether remedial action can be taken to reduce any potential harm to individuals.
Should others, such as the Australian Cyber Security Centre, police/law enforcement, or other agencies or organisations be notified? Notification may be required under contract or MOU, and is highly recommended where other parties may be able to assist in containing the breach or can assist individuals affected by the breach.
Office of the Australian Information Commissioner (OAIC) notification is required for eligible data breaches using the OAIC’s NDB form.
The company has Cyber Liability & Privacy Protection Insurance in place.