AU data breach notification guide: A guide to handling personal information security breaches
The Office of the Australian Information Commissioner has released Data breach notification guide: A guide to handling personal information security breaches. Some excerpts:
Preventing data breaches — obligations under the Privacy Act
Security is a basic element of information privacy.4 In Australia, this principle is reflected in the Privacy Act in the APPs
Agencies and organisations are required to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. This requirement is set out in APP 115 (see Appendix A for APP 11).
Sections 20Q and 21S of the Privacy Act imposes equivalent obligations on credit reporting agencies and all credit providers. Similarly, guideline 6.1 of the statutory TFN guidelines6 requires TFN recipients to protect TFN information by such security safeguards as are reasonable in the circumstances.
Depending on the circumstances, those reasonable steps may include the preparation and implementation of a data breach policy and response plan. Notification of the individuals who are or may be affected by a data breach, and the OAIC, may also be a reasonable step (see page 9).
Responding to data breaches: four key steps
Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations.
As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, undertaking an assessment of the risks involved, and using that risk assessment as the basis for deciding what actions to take in the circumstances.
There are four key steps to consider when responding to a breach or suspected breach:
Step 1: Contain the breach and do a preliminary assessment
Step 2: Evaluate the risks associated with the breach
Step 3: Notification
Step 4: Prevent future breaches
Each of the steps is set out in further detail below.
You can access the guide (49 pp, pdf) here.