Purpose and structure of this guide
The Office of the Australian Information Commissioner (OAIC) has prepared this guide to assist Australian Government agencies and private sector organisations (entities) prepare for and respond to data breaches in line with their obligations under the Privacy Act 1988 (Cth) (Privacy Act).
The guide is in five parts.
Part 1: Data breaches and the Australian Privacy Act
This section outlines the requirements of the Privacy Act that relate to personal information security and data breach response strategy. The principles contained within the Privacy Act for the handling of personal information may be adopted by any entity to lower the risk of a data breach occurring and to effectively reduce the impact of a data breach.
Part 2: Preparing a data breach response plan
The faster an entity responds to a data breach, the more likely it is to effectively limit any negative consequences. A data breach response plan is essential to facilitate a swift response and ensure that any legal obligations are met following a data breach.
Part 3: Responding to data breaches — Four key steps
An effective data breach response generally follows a four-step process — contain, assess, notify, and review. This section outlines key considerations for each of these steps to assist entities in preparing an effective data breach response.
Part 4: Notifiable Data Breaches
This section outlines the requirements of the NDB scheme under the Privacy Act. The NDB scheme contains mandatory data breach reporting obligations in relation to certain data breaches, and requirements to assess suspected data breaches.
Part 5: Other sources of information
The obligations of the Privacy Act in relation to data breaches co-exist with other reporting obligations. This section assists entities in identifying where they can find information about other data breach reporting requirements.
A cautionary note
There is no ‘one size fits all’ solution to preparing for and responding to data breaches. This guide does not provide detailed information about the systems or processes an entity may put in place to manage data breaches.
Further, this guide does not provide detailed information about other obligations that may apply to entities in addition to the Privacy Act. Entities should consider their privacy obligations alongside other relevant legal requirements and standards.
The guide does not constitute or replace legal advice on obligations under the Privacy Act. It is published by the Commissioner to provide general information to help entities meet the requirements of the Privacy Act. Entities are encouraged to seek professional advice tailored to their own circumstances where required.
What is a data breach?
A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost.
Personal information is information about an identified individual, or an individual who is reasonably identifiable.
Entities should be aware that information that is not about an individual on its own can become personal information when it is combined with other information, if this combination results in an individual becoming ‘reasonably identifiable’ as a result.
A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.
Examples of data breaches include:
loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
unauthorised access to personal information by an employee
inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person
disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.
Consequences of a data breach
Data breaches can cause significant harm in multiple ways.
Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation.
Examples of harm include:
financial fraud including unauthorised credit card transactions or credit fraud
identity theft causing financial loss or emotional and psychological harm
physical harm or intimidation.
A data breach can also negatively impact an entity’s reputation for privacy protection, and as a result undercut an entity’s commercial interests. As shown in the OAIC’s long-running national community attitudes to privacy survey, privacy protection contributes to an individual’s trust in an entity. If an entity is perceived to be handling personal information contrary to community expectations, individuals may seek out alternative products and services.
An entity can reduce the reputational impact of a data breach by effectively minimising the risk of harm to affected individuals, and by demonstrating accountability in their data breach response.
This involves being transparent when a data breach, which is likely to cause serious harm to affected individuals, occurs. Transparency enables individuals to take steps to reduce their risk of harm. It also demonstrates that an entity takes their responsibility to protect personal information seriously, which is integral to building and maintaining trust in an entity’s personal information handling capability.
Data breach preparation and response
A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)
Australian Government – Office of the Australian Information Commissioner
The following are extracts from the complete document which is available online from the above source.
EXTRACT FROM THE FORWARD
Strong data management is integral to the operation of businesses and government agencies worldwide. Digital platforms and technologies that utilise user data to provide personalised products or services have proliferated across communities and industries. At the same time, data analysis has been widely recognised for its value as fuel for innovation that can benefit the community in unprecedented ways, including identifying gaps in services, revealing needs for new or different products, and enabling better-informed policy-making.
In this environment, the success of an organisation that handles personal information or a project that involves personal information depends on trust. People have to trust that their privacy is protected, and be confident that personal information will be handled in line with their expectations.
As we’ve found in our long-running national community attitudes to privacy survey, if an organisation does not demonstrate a commitment to privacy, people will look for alternative suppliers, products, and services.
One of the biggest risks organisations face in this context is a data breach. A data breach involving personal information can put affected individuals at risk of serious harm and consequently damage an organisation’s reputation as a data custodian.
Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner
The Notifiable Data Breaches (NDB) scheme
The NDB scheme in Part IIIC of the Privacy Act requires entities to notify affected individuals and the Commissioner of certain data breaches.
The NDB scheme requires entities to notify individuals and the Commissioner about ‘eligible data breaches’. An eligible data breach occurs when the following criteria are met:
There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
This is likely to result in serious harm to any of the individuals to whom the information relates.
The entity has been unable to prevent the likely risk of serious harm with remedial action.
Entities must also conduct an assessment if it is not clear if a suspected data breach meets these criteria. The assessment will determine whether the breach is an ‘eligible data breach’ that triggers notification obligations.
The primary purpose of the NDB scheme is to ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm. This has a practical function: once notified about a data breach, individuals can take steps to reduce their risk of harm. For example, an individual can change passwords to compromised online accounts, and be alert to identity fraud or scams.
The NDB scheme also serves the broader purpose of enhancing entities’ accountability for privacy protection. By demonstrating that entities are accountable for privacy, and that breaches of privacy are taken seriously, the NDB scheme works to build trust in personal information handling across industries.
Part 2: Preparing a data breach response plan
A quick response to a data breach, based on an up-to-date data breach response plan, is critical to effectively managing a breach
your data breach response plan should outline your entity’s strategy for containing, assessing and managing the incident from start to finish
this part will provide practical guidance to help you develop a comprehensive and effective data breach response plan.
Why do you need a data breach response plan?
All entities should have a data breach response plan. A data breach response plan enables an entity to respond quickly to a data breach. By responding quickly, an entity can substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result.
A data breach response plan can help you:
Meet your obligations under the Privacy Act
Under the Privacy Act, an entity must take reasonable steps to protect the personal information that it holds. A data breach response plan focussed on reducing the impact of a breach can be one of these reasonable steps.
Limit the consequences of a data breach
A quick response can reduce the likelihood of affected individuals suffering harm. It can also lessen financial or reputational damage to the entity that experienced the breach.
Preserve and build public trust
An effective data breach response can support consumer and public confidence in an entity’s respect for individual privacy, and the entity’s ability to manage personal information in accordance with community expectations.
What is a data breach response plan?
A data breach response plan is a framework that sets out the roles and responsibilities involved in managing a data breach. It also describes the steps an entity will take if a data breach occurs.
Your data breach response plan should be in writing to ensure that your staff clearly understand what needs to happen in the event of a data breach. It is also important for staff to be aware of where they can access the data breach response plan on short notice.
You will need to regularly review and test your plan to make sure it is up to date and that your staff know what actions they are expected to take. You can test your plan by, for example, responding to a hypothetical data breach and reviewing how your response could be made more effective.
How regularly you test your plan will depend on your circumstances, including the size of your entity, the nature of your operations, the possible adverse consequences to an individual if a breach occurs, and the amount and sensitivity of the information you hold. It may be appropriate in some instances that a review of the plan coincides with the introduction of new products, services, system enhancements, or such other events which involve the handling of personal information.
What should the plan cover?
The more comprehensive your data breach response plan is, the better prepared your entity will be to effectively reduce the risks and potential damage that can result.
Information that your plan should cover includes:
A clear explanation of what constitutes a data breach
This will assist your staff in identifying a data breach should one occur (see What is a data breach? section above). You may also want to include potential examples of a data breach which are tailored to reflect your business activities.
A strategy for containing, assessing and managing data breaches
This strategy should include the actions your staff, and your response team, will take in the event of a data breach or a suspected data breach. Consider:
potential strategies for containing and remediating data breaches
ensuring you have the capability to implement those strategies as a matter of priority (e.g. having staff available to deal with the breach – see Response team membership section below). Your plan should reflect the capabilities of your staff to adequately assess data breaches and their impact, especially when breaches are not escalated to a response team
legislative or contractual requirements (such as the requirements of the NDB scheme if they apply to your entity)
a clear and immediate communications strategy that allows for the prompt notification of affected individuals and other relevant entities. In particular:
who is responsible for implementing the communications strategy
determining when affected individuals must be notified (refer to Identifying eligible data breaches for further information about mandatory data breach notification requirements under the NDB scheme)
how affected individuals will be contacted and managed
criteria for determining which external stakeholders should be contacted (for example, law enforcement and cyber security agencies, regulators such as the OAIC, and the media)
who is responsible for liaising with external stakeholders.
The roles and responsibilities of staff
Your plan should outline the responsibilities of staff members when there is a data breach, or a suspected data breach. Consider:
who staff should inform immediately if they suspect a data breach
the circumstances in which a line manager can handle a data breach, and when a data breach must be escalated to the response team. The following factors may determine when a data breach is escalated to the response team:
the number of people affected by the breach or suspected breach
whether there is a risk of serious harm to affected individuals now or in the future
whether the data breach or suspected data breach may indicate a systemic problem with your entity’s practices or procedures
other issues relevant to your circumstances, such as the value of the data to you or issues of reputational risk.
who is responsible for deciding whether the breach should be escalated to the response team. One option is for each senior manager to hold responsibility for deciding when to escalate a data breach to the response team. Another option is to have a dedicated role, such as the privacy contact officer.
Your plan should consider how your entity will record data breach incidents, including those that are not escalated to the response team. This will assist you in ensuring you have documentation of how your entity has met regulatory requirements.
Evaluating how a data breach occurred, and the success of your response, can help you improve your data handling and data breach management. Consider:
a strategy to identify and address any weaknesses in data handling that contributed to the breach
a system for a post-breach assessment of your entity’s response to the data breach and the effectiveness of your data breach response plan.
If you hold an insurance policy for data breaches, that insurer may have a pre-established panel of external service providers in many of the roles listed above. You may want to consult with your insurer as to the identity of that panel so they can be included in any response team. Alternatively, the insurer may have a hotline available to assist in the event of a data breach, and that could be noted in the response plan.
Which individuals carry out the roles outlined in your response team will depend on your circumstances. For example, in smaller entities it may not be necessary to include steps related to escalating the data breach to the response team, as this may be an automatic process. Depending on the size of your entity or the size of the breach, a single person may perform multiple roles. In smaller entities the owner/principal of the entity could potentially be the person who needs to respond to and act on that breach.
It is important that the response team has the authority to take the steps outlined in the response plan without needing to seek permission, as this will enable a faster response to the breach. The role of team leader should be carefully considered, as they should have sufficient ability and authority to effectively manage the various sections within the entity whose input is required and to report to senior management. It may be your senior member of staff with overall accountability for privacy, a senior lawyer (if you have an internal legal function) or another senior manager. If the breach is serious, it may be a senior executive.
Part 3: Responding to data breaches — four key steps
Each data breach response needs to be tailored to the circumstances of the incident.
In general, a data breach response should follow four key steps: contain, assess, notify and review.
Data breaches can be caused or exacerbated by a variety of factors, involve different types of personal information, and give rise to a range of actual or potential harms to individuals and entities.
As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, with an understanding of the risks posed by a breach and the actions that would be most effective in reducing or removing these risks.
Generally, the actions taken following a data breach should follow four key steps:
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
At any time, entities should take remedial action, where possible, to limit the impact of the breach on affected individuals. If remedial action is successful in preventing a likely risk of serious harm to individuals, the NDB scheme notification obligations may not apply.
In general, entities should:
take each data breach or suspected data breach seriously and move immediately to contain, assess and remediate the incident. Breaches that may initially seem immaterial may be significant when their full implications are assessed
undertake steps 1 (Contain), 2 (Assess), and 3 (Notify) either simultaneously or in quick succession. In some cases it may be appropriate to notify individuals immediately, before containment or assessment of the breach occurs
determine how to respond on a case-by-case basis. Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, an entity may take additional steps that are specific to the nature of the breach.
The following diagram summarises the data breach response process. The parts of this process that are required by the NDB scheme are coloured red. The NDB scheme is explained in detail in Part 4 of this guide.
Step 1: Contain
Once an entity has discovered or suspects that a data breach has occurred, it should immediately take action to limit the breach.
For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, then revoke or change computer access privileges or address weaknesses in physical or electronic security.
Addressing the following questions may help you identify strategies to contain a data breach:
How did the data breach occur?
Is the personal information still being shared, disclosed, or lost without authorisation?
Who has access to the personal information?
What can be done to secure the information, or stop the unauthorised access or disclosure, and reduce the risk of harm to affected individuals?
At this point, an entity may suspect an eligible data breach under the NDB scheme has occurred, which would trigger assessment obligations. Or, the entity may believe the data breach is an eligible data breach, which requires them to notify individuals as soon as practicable.
During this preliminary stage, be careful not to destroy evidence that may be valuable in identifying the cause of the breach, or that would enable the entity to address all risks posed to affected individuals or the entity.
Step 2: Assess
An assessment of the data breach can help an entity understand the risks posed by a data breach and how these risks can be addressed. It should be conducted as expeditiously as possible.
Gather and evaluate as much information about the data breach as possible. By creating a complete picture of the data breach, an entity can ensure they understand the risk of harm to affected individuals, and identify and take all appropriate steps to limit the impact of a data breach.
This assessment should also assist entities in deciding whether affected individuals must be notified.
In your assessment of a data breach, consider:
the type or types of personal information involved in the data breach
the circumstances of the data breach, including its cause and extent
the nature of the harm to affected individuals, and if this harm can be removed through remedial action.
All entities should consider whether remedial action can be taken to reduce any potential harm to individuals. This might also take place during Step 1: Contain, such as by recovering lost information before it is accessed.
Entities subject to the NDB scheme are required to conduct an assessment of ‘suspected’ eligible data breaches and take reasonable steps to complete this assessment within 30 days (see Assessing a suspected data breach). Criteria for assessing a data breach, including the risk of harm and remedial action, is explored in Identifying eligible data breaches.
Step 3: Notify
Notification can be an important mitigation strategy that has the potential to benefit both the entity and the individuals affected by a data breach. The challenge is to determine when notification is appropriate. Sometimes, notifying individuals can cause undue stress or harm. For example, notifying individuals about a data breach that poses very little or no risk of harm can cause unnecessary anxiety. It can also de-sensitise individuals so that they don’t take a notification seriously, even when there is a real risk of serious harm. Each incident needs to be considered on a case-by-case basis to determine whether breach notification is required.
the obligations of the entity under the NDB scheme. Entities are required to notify individuals and the Commissioner about data breaches that are likely to result in serious harm. Part 4 of this guide provides further detail about the NDB scheme’s requirements
other circumstances in which individuals should be notified. For example, your entity may not have obligations under the NDB scheme, but have processes in place to notify affected individuals in certain circumstances
how notification should occur, including:
what information is provided in the notification
how the notification will be provided to individuals
who is responsible for notifying individuals and creating the notification.
who else other than affected individuals (and the Commissioner if the notification obligations of the NDB scheme apply) should be notified
where a law enforcement agency is investigating the breach, it may be appropriate to consult the investigating agency before making details of the breach public
whether the incident triggers reporting obligations to other entities.
Effective data breach response is about reducing or removing harm to affected individuals, while protecting the interests of your organisation or agency. Notification has the practical benefit of providing individuals with the opportunity to take steps to protect their personal information following a data breach, such as by changing account passwords or being alert to possible scams resulting from the breach. It is important that staff are capable of engaging with individuals who have been affected by a data breach with sensitivity and compassion, in order not to exacerbate or cause further harm. Notification can also help build trust in an entity, by demonstrating that privacy protection is taken seriously.
Step 4: Review
Once steps 1 to 3 have been completed, an entity should review and learn from the data breach incident to improve its personal information handling practices.
This might involve:
a security review including a root cause analysis of the data breach
a prevention plan to prevent similar incidents in future
audits to ensure the prevention plan is implemented
a review of policies and procedures and changes to reflect the lessons learned from the review
changes to employee selection and training practices
a review of service delivery partners that were involved in the breach.
In reviewing information management and data breach response, an entity can refer to the OAIC’s Guide to securing personal information. When reviewing a data breach incident, it is important to use the lessons learned to strengthen the entity’s personal information security and handling practices, and to reduce the chance of reoccurrence. A data breach should be considered alongside any similar breaches that have occurred in the past, which could indicate a systemic issue with policies or procedures.
If any updates are made following a review, staff should be trained in any changes to relevant policies and procedures to ensure a quick response to a data breach.
Please note the above is an extract only. For the complete document see the source document –
Australian Government – Office of the Australian Information Commissioner
"The dark web is where the majority of stolen data is monetised.
CCS can provide you with an automated early notification platform, to alert you when VIP or company data is placed for sale on the dark web. The CCS team can also assist to reduce your exposure to cyber threat by way of culture change through education of staff."