Data Breach Policy

What is a Data Breach (DB)?

A data breach occurs when personal information is lost or subjected to unauthorised access or disclosure. Information that is not, on the face of it, about an individual can be personal information if, when combined with other information, an individual is ‘reasonably identifiable’.

A data breach may be malicious, or the result of human error or a failure in information handling or security systems, and could include:

  • theft of a document containing personal information
  • sending an email containing personal information to the wrong person
  • inadequate identity verification procedures resulting in the disclosure of personal information to a scammer.

What is a Notifiable Data Breach (NDB)?

Part IIIC of the Privacy Act 1988 establishes the Notifiable Data Breach (NDB) scheme. The NDB scheme is designed to enhance accountability for privacy protection and ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm.

Under the NDB scheme, an ‘eligible data breach’ occurs where:

  • personal information is lost (in circumstances where unauthorised access or disclosure is likely to result) or is subjected to unauthorised access or disclosure, and
  • the loss, access or disclosure is likely to result in serious harm to one or more individuals to whom the information relates, and
  • the entity has been unable to prevent the likely risk of serious harm with remedial action. Where an eligible data breach occurs or is suspected, Astute is required to notify affected clients, Office of the Australian Information Commissioner (OAIC); Australian Cyber Security Centre, police/law enforcement, or other agencies or organisations be notified.

Data Breach Response Process

There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks, and using that risk assessment to decide the appropriate course of action. Depending on the nature of the breach, the Response Team may need to include additional staff or external experts, for example an IT specialist/data forensics expert or a human resources adviser.

The key steps when responding to a data breach or suspected data breach are:

  • STEP 1: Contain
  • STEP 2: Assess Risk
  • STEP 3: Breach Notification
  • STEP 4: Review and Prevent
  • STEP 5: Post Review Evaluation

Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.

If possible, the Response Team should undertake steps 1, 2 and 3 simultaneously or in quick succession. At all times, the Response Team should consider whether remedial action can be taken to reduce any potential harm to individuals.

Should others, such as the Australian Cyber Security Centre, police/law enforcement, or other agencies or organisations be notified? Notification may be required under contract or MOU, and is highly recommended where other parties may be able to assist in containing the breach or can assist individuals affected by the breach.

Office of the Australian Information Commissioner (OAIC) notification is required for eligible data breaches using the OAIC’s NDB form.

Insurance

The company has Cyber Liability & Privacy Protection Insurance in place.