Attorney General publishes submissions to draft Mandatory Data Breach Bill and Privacy Commissioner releases Guide to developing Data Breach response plan

April 21, 2016 |

Australia is yet to have mandatory data breach notification legislation. The Attorney General’s Department has published the submissions it received to the draft serious data breach notification bill.

Notably  the submissions state (taking the highlights):

  • Avant Mutual Group Limited, a medical defence organisation.  Against. The complaint in essence is the “..enormous regulatory and compliance burden on medical practitioners, who are already required to comply with Commonwealth privacy legislation even though they might be small businesses: organisations that hold health information are not able to take advantage of the small business exemption under privacy legislation.”  In other words Avant complains that its members can’t enjoy the benefit of one of the Privacy Act’s biggest flaws, the poor coverage with the small business exemption. It also essentially claims that Avant provides advice as to manage privacy breaches including “..including notifying patients where appropriate and taking remedial steps to lessen the impact.”  Not an uncommon response from a mutual defence fund.  As a policy document there is less to it than meets the eye.
  • The Association for Data Driven Marketing and Advertising. Not supportive.  It says the evidence to support such legislation is lacking.  That is a very myopic view.  The complaint about potential to cause notification fatigue runs in another direction.  It assumes too many notifications.  Of data breaches.  As in there is evidence to support such legislation.  The complaint about a real risk of serious harm is legitimate.  It is a poor definition.  Generally this is a muddled, self serving, submission.
  • Australian Bankers Association.  Nuanced.  In its detailed 11 page submission it raises the weaknesses in the Bill.  It is a well drafted document.  It should be considered closely and taken very seriously.
  • The ABC. Neutral.  The ABC’s submission is a technical analysis.  It takes issue with the 30 day rule on notification, section 26WC(2) and when an organisation ought to be aware of a data breach.  It quibbles with the consistency of the cross border obligations under APP 8.1 and the provisions of the bill.  It also complains about the breadth of harm.  It is quite a good submission. It seeks to raise the bar for triggering the notification and compliance.
  • Australian Communications Consumer Action Network (ACCAN).  Supportive.  The amendments it seeks is to shorten time frames for reporting and removing mitigation
  • Australian Finance Conference.  Not oppose but the effect of the submissions would be to weaken the operation of the legislation.  The AFC seeks to include reference to amending 26WB so as to “clarify” the meaning of what is rendered unintelligible by making specific reference to encryption with a definition of encryption being “..rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” The presumption is that encrypted information is “outside the data breach notification requirements.”  As with other submissions there is concern about the meaning about “real risk” and “serious harm”.  The AFC complains about the notification requirements, in particular the “ought reasonably to be aware” obligation.  The argument is that it leads to hindsight analysis.  This argument lacks logic and the other arguments are more confection than analysis.  The “ought reasonably..” formulation is well used in statutes and long considered by the courts.  Not having it there is a worse outcome for proper functioning of the legislation.  The AFC wants to broaden the exemption power of the Privacy Commissioner under section 26WC (7).  The AFC raises concerns on situations where there is a breach in the distribution network and the issue is who notifies.   This is not a significant issue.  The legislation is clear on who notifies
  • Australian Information Industry Association. Cautiously supportive but recommends amendments.  It joins with others in criticising the definition of real risk of serious harm.  It asserts notification fatigue, which is more speculative than an actual problem, and seeks to raise the bar on when notification is made.  The Association moves into dangerous territory when it seeks to lessen responsibility for breaches by third parties who are holding the personal information.  This is silly.  It also wants to loosen the requirements about time to make an assessment by removing reference to “as soon as practicable”.
  • Australian Information Security Association.  The submission was based on a survey of members rather than an analytical submission.  Very supportive as a principle, regarding the legislation as a good first step only.  But with amendments.  As with other the definition of real risk and harm are criticized.  The Association wants to lower the threshold for notification.
  • Australian Law Reform Commission.  Supportive save that it would prefer all recommendations made, most of which were included in the Bill, be included in the Bill.
  •  Australian Privacy Foundation.  Very supportive.  Amendments proposed.  As I was one of the key drafters of the submission it is hard to comment further.
  • Australian Retail Credit Association.  Not opposed but the recommendations would weaken the legislation.  The Association complains about definition of harm and real risk.  That is common to many submissions.  it also complains about the meaning of reasonable grounds.  This is a non issue.  The law has long considered this concept.  It does not require massaging.  The complaint about ought reasonably be aware is the subject of concern.  It says that the 30 day period is too short.  It raises issues of joint holding of information.  This complaint is more illusory than real if proper enquiries are made. A “safe harbour” provision for encrypted data is recommended. Bad idea even if it is part of Californian law.
  • BSA – the Software Alliance.  Generally opposed. Another complaint about the definition of a serious data breach and “as soon as practicable.”  It seeks to have a two step approach to breach notification.  Not a good idea.
  • Communications Alliance.  Generally negative, seeks amendment which would reduce the effectiveness of the legislation.  There are legitimate concerns including the meaning of serious data breach, real risk and serious harm.  And there is a lot of what ifs in the submission, such as the risk of multiple notifications for the same breach.  I am far from convinced this is a real problem.  As with the unenthusiastic the recommendations run to increasing the threshold for notification, placing considerably more weight to mitigation, including having encryption and wanting a longer time frame to notify. And the Commissioner should have a broader power to exempt but more weighting be given to remedial steps to reduce any civil penalty.
  • Insurance Brokers – Cyber Data-Risk Managers.  Supportive in a short submission.
  • Cyberspace Law and Policy Community. Very supportive in a long and detailed submission.  Recommends amendment which would strengthen and not lessen obligations on organisations and entities.  That includes clearer specification on what alternative notification arrangements, increased penalties, compel notifications to consumer reporting agencies, make an entities role clearer, requiring all breaches to be notified to the Privacy Commission and notification mandatory for breach of encrypted data.
  • Department of Employment. Supportive.  While it finds a 30 day time limit as appropriate it recommends a power to extend time.
  • Department of Finance.  Supportive but… It sees no need to notify the Privacy Commissioner in all cases of serious data breach.  In that context it doesn’t like the definition of serious data breach.  It likes the 2 tier system of notification in California.
  • Department of Immigration and Border Protection.  Supports but wants changes.  Wants longer time to assess and to notify the Commissioner.  It is concerned about the interaction between the legislation and its secrecy provisions in its legislation.  Wants better guidelines from the Privacy Commisioner.  It is not alone there.
  • Department of Social Services.  Doesn’t say one way or another.  Generally it says it will work but require a lot of work to comply.
  • Digital Industry Group.  Not supportive. Thinks the voluntary notification system works.  If the legislation is enacted it will set a high threshold for notification and a lot longer to investigate and on that note the OAIC should share the burden.  And no penalty or rare penalty proceedings.
  • Electronic Frontiers Australia.  Very supportive.  It should involve a statutory right to privacy.  The EFA doesn’t like the meaning of serious risk and serious harm.  The threshold should be a real risk of harm and a significant breach.
  • Financial Services Council.  Lukewarm, bordering on the chilly, support.  Recommends a two tiered approach to notification, the OAIC provide guidance on when not to notify (where minimal impact).  This is not practical and won’t happen.  The guidelines have no force of law.  It dislikes the phrase “ought reasonably to be aware”, as if this phrase has never been considered by the courts. It does not want to consider the impact on individuals but rather groups of individuals.  And increase the situations when notifications are not required.
  • FireEye.  Supportive.
  • GRC Institute. Not stated but wishes to loosen the obligations.  It dislikes the definition of serious harm and wants to give “..latitude to organisations for reasonably general assumptions about the circumstances of the individuals affected by the breach and/or the circumstances of the breach.” Whatever that means. Wants extra latitude when dealings with overseas recipients.  Instead of 30 days to assess and notify wants 21 – 30 days for assessment nand 14 days for notification.
  • IDCARE.  Very supportive.  It wants more clarity on what constitutes “sensitivity” of information. It’s view is that “..organisations that have experienced data breaches and the clients and staff impacted can hold vastly different views on what is “sensitive”, what is “harmful”, and what are effective “mitigation steps”.  That is quite a valid criticism.  Especially if there is poor regulatory oversight.  It is a particularly useful submission as it sets out details of data breaches.
  • International Board of Directors ISACA.  Supportive.  It wants provisions to specify the qualifications of those who evaluate data breaches & some provision relating to ICT governance.  That is unlikely to happen.  It also seeks more guidance on what is meant by serious harm.
  • Insurance Council of Australia. Supportive but wants significant amendments which may limit its operation.  It does not like the definition of harm and risk.  It wants more specific definitions.  That is hardly a surprise for an insurance lobby group.  It complains that the Explanatory memorandum regarding section 26WB(3)(b) & (d) goes beyond the provisions of the sections themselves.  I am not convinced.  In any event the the provisions are the starting point.  Again there is a call for more guidance.  The problem is that the Guidance is not a regulation.  The Council also complains about the “ought reasonably be aware” phrase and the 30 day period.  It believes that sections 26WB(1) and 26WC do not properly interact. I am not convinced.  It also seeks more specific drafting on the section 26WC(3)(d) and what should be in a notification.  This is probably unduly limiting.  It also seeks to limit the scope of the Commissioner’s powers under section 26WD(2)(b). The Council raised the operation of section 7B(5) with sections 26WB and its requirement to comply with the Privacy Act under government contracts.  That has more to do with the relationship between the Council’s members and the government providers rather than a flaw in the legislation.
  • Interactive games and entertainment association.  Not supportive.  The voluntary system fines it says.   As with others it seems to wants more comprehensive guidelines.  This is an erroneous approach.  Courts may provide more substance but he guidance has no legal power.  It may, culturally, limit the Commissioner’s office. It wants to limit the personal information that would carry with it a risk of harm.  It shouldn’t cover material which the individual has consented to be used by third parties.  This is nonsense.  The whole idea of  data breach notification legislation is what is unauthorised access and/disclosure.  It wants more weight given to reasonable security measures.
  • Law Council of Australia.  Supportive. The LCA has produced a very detailed analysis. It wants an earlier start date.  It wants to remove “other information” from section 26WA.  Probably not necessary but understandable. As with a number of other parties, it does not favour having a regulatory power associated with the legislation.  It wants to tighten the definition of risk from being not remote to one of “‘real risk’, ‘likely risk’ or ‘probable risk’.  This recommendation is reasonable but much ado about nothing in the practical administration of the legislation.  It seeks a more generic list of relevant matters.  It does not like the definition of harm and prefers reference to loss and damage.  I doubt this is an improvement.  Far from it.  It also does not like “ought reasonably be aware” within the timing provision of section 26WC(1) and seeks to have reference to “if ‘reasonable steps were taken to ensure security of personal information, the entity would have been aware’ or a similar formulation that aligns with APP 11.” The proposed amendment is interesting but risks being cumbersome.  APPs being generalised principles the wording does not add clarity.  In any event it is likely to give rise to a two stage process, determining whether reasonable steps were taken in security set up for the purpose of APP 11 and then applying to the fact situation. Why not have the courts consider them and provide structure to this provision.  It recommends permitting the Commissioner to extend the 30 day time limit.  A reasonable approach provided there are some in built constraints on the use of the power.  It also wishes to have one party provide notification where there is a data breach and multiple parties hold personal information.  This is an illusory problem.  If the  data breach affects one organisation it provides the notice.  Other parties may hold the personal information but not be subject to a data breach.  They don’t need to make a notification.  In the rare event where multiple parties are affected by one or more data breaches involving the same personal information then it is reasonable for all impacted organisations to provide notice.  It also wants a more stringent provision regarding public interest notices and exceptions relating to law enforcement or national security bodies.  As with many other submissions it highlights the need for proper resourcing of the Commissioner’s office.
  • Law Society of New South Wales.  Supportive.  In its brief submission it wants more specificity in the definition of risk and wants clarification on who sections 26WB(1) and WC will interact.  I am not as convinced of the latter problem.
  • Liberty Victoria.  Very supportive.  It wants more resourcing for the Commissioner.
  • Macquarie Telecom. Supportive.  It argues that several entities being required to notify arising from the same breach.  It also complains about the terms serious breach and serious harm.  It also wants to increase the threshold of harm to be increased by removing reference to emotional and psychological harm.
  • Microsoft Australia.  Supportive.  The main concern relates to the operation of section 26WC(1) and its ability to comply with it as it may not be able to communicate with individuals.
  • Miga.  Not supportive of the concept but is taking a practical approach.  It takes issue with the definition of a serious data breach, risk of serious harm and does not support the likely prospect that the release of health records will require notification.
  • Nicole Murdoch.  Very supportive.  She supports stronger controls and shorter notification times. And less emphasis on mitigation steps as a relevant factor.
  • Nuix Pty Ltd.  Very supportive.  It wants other supports and subsidies to educate organisations.
  • Office of the Australian Information Commissioner.  Supportive.  The OAIC is supportive of section 26WC where a entity will make its own assessment.  This is disputed by some parties and I have concerns about the quality of the assessment being affected by other factors.  It is more a paean than submission.
  • Office of the Information Commissioner Queensland.  Supportive. It does recommend that where the threshold for notification is not met in the event of a data breach then an entity should record instances where privacy has potentially been compromised.  A good idea however it requires discrete drafting and right of the Commissioner to inspect.
  • Paypal. Grudging support.  It is concerned about the definition of harm. It wants to specify and limit the definition of harm.  That will limit the disclosable circumstances.  It also complains about the evaluation of risk process.
  • Protiviti Pty Ltd. Supports but doesn’t think the legislation will improve data security.  It is hard to argue with its statement “…in our experience, many entities still do not have adequate controls in place to prevent data breaches or to detect them when they have occurred.”  That is my experience.  It does have problems with what constitutes reasonable grounds and what is a serious data breach.  It’s proposal to have an avenue to approach the Commissioner for advice along equivalent to a private ruling by the ATO is fraught.
  • PwC.  Generally supportive. In a long submission the PwC wants a raft of changes including applying the reasonable person test, issue guidance about “ought reasonably be aware” (a bad idea), obtain an extension on the 30 day assessment period, clarity on the encryption provisions, responsibilities vis a vis entity and their contractors.
  • Council of Records and Information management.  Supportive.  But wants changes to the 30 day assessment rule and some form of tiered level to exposure of risk. And a 30 day specified compliance under section 26WD(5),
  • Telecommunications Industry Ombudsman.  Supportive.
  • Telstra. In a covering letter plus annexure.  Supportive.  But wants changes.  Remove “ought reasonably to have become so aware” and limit the operation of “reasonable grounds”.  It doesn’t like the ordinary person test.  It has company with that submission.  It raises the issue of multiple parties holding personal information, especially a contractor.  It proposes no solution.
  • Terry Darling.  Drafted in neutral terms but generally .  He complains about the definition of serious data breach, serious harm and real risk.  He wants the factors set out in Division 2 to be specified in more detail.

The Mandatory Data Breach Notification Bill is unlikely to be presented until at least September/October, at the earliest, given Parliament will be prorogued in May, an election held in July and the Parliamentary machinery not coming on line until at least August.

The Privacy Commissioner has released his Guide to Data breaches.

The Media Release provides:

Data breaches involving personal information can happen in any organisation, so being prepared for this ‘what if’ is a critical risk planning step.

Prior preparation is the key to minimising reputational risk, cost and disruption in the event of a breach, which is why the OAIC has released a new guide to assist your organisation to develop a clear Data Breach Response Plan.

The guide explains how actions immediately after the discovery of a breach can be crucial to the success of a response. Quick responses can also substantially decrease the impact on affected individuals, which is vital to protecting your consumer confidence and reputation.

Having the right people, plans and systems in place prior to any breach is essential to how quickly and accurately your organisation can respond. Accordingly our Guide will help you determine and document:

  • membership, roles and responsibilities of your response team
  • the immediate actions you need to take if a breach is suspected or discovered
  • escalation paths and critical decision points
  • key communication steps.

We have also included a handy checklist to help you quickly determine whether your existing data breach response plan covers all the relevant elements to respond to a data breach.

So to begin developing your data breach response plan, or to see if your current plan meets best practice, see our Guide to developing a data breach response plan.

The Guide is drawn in very broad terms but does serve the important purpose of providing a structure for an organisation to develop a plan.  It provides, absent footnotes:


This Guide will help you develop a data breach response plan. A short checklist is also set out in the Appendix.

This guide complements the Office of the Australian Information Commissioner’s Data breach notification guide: A guide to handling personal information security breaches (DBN Guide), which provides detailed guidance about responding to a data breach once it occurs.

This guide is intended for use by entities covered by the Privacy Act 1988 (Cth) (Privacy Act), including organisations, agencies, credit reporting bodies (CRBs), credit providers and tax file number recipients. However, this guide may also be relevant to organisations not subject to the Privacy Act as a model for better privacy practice.

This guide is not legally binding. However, if you are covered by the Privacy Act you will have obligations under the Act to take reasonable steps to protect the personal information that you hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. One of those reasonable steps may include the preparation and implementation of a data breach response plan.

What is a data breach?

For the purpose of this Guide a data breach is when personal information held by an entity is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Examples of a data breach are when a device containing personal information of clients is lost or stolen, an entity’s database containing personal information is hacked or an entity mistakenly provides personal information to the wrong person.

A ‘data breach’ may also constitute a breach of the Privacy Act, however this will depend on whether the circumstances giving rise to the data breach also constitute a breach of one or more of the APPs, a registered APP code or the Privacy (Credit Reporting) Code 2014 (CR code).

Why do you need a data breach response plan?

All entities should have a data breach response plan. Your actions in the first 24 hours after discovering a data breach are often crucial to the success of your response. A quick response can substantially decrease the impact on the affected individuals.

High profile data breaches, both in Australia and overseas, highlight the significant disruption caused by a breach of personal information. Research suggests that the cost to an organisation for a data breach can be significant.Implementing a data breach response plan can assist in mitigating these costs.

Having a data breach response plan is part of establishing robust and effective privacy procedures. And having clear roles and responsibilities is part of good privacy governance. A data breach response plan can also help you:

  • meet your obligations under the Privacy Act — an entity must take reasonable steps to protect the personal information that it holds; those reasonable steps may include having a data response plan
  • protect an important business asset — the personal information of your customers and clients as well as your reputation
  • deal with adverse media or stakeholder attention from a breach or suspected breach
  • instil public confidence in your capacity to protect personal information by properly responding to the breach.

What is a data breach response plan?

A data breach response plan is one tool to help you manage a data breach. It is a framework which sets out the roles and responsibilities for managing an appropriate response to a data breach as well as describing the steps to be taken by an entity in managing a breach if one occurs. This includes:

  • the actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the response team
  • the members of your data breach response team (response team)
  • the actions the response team is expected to take.

Your data breach response plan should be in writing to ensure that your staff clearly understand what needs to happen in the event of a data breach.

You will need to regularly review and test your plan to make sure it is up to date and that your staff know what actions they are expected to take. What is ‘regular’ in this context will depend on your circumstances, including the size of your entity, the nature of your operations, the possible adverse consequences to an individual if a breach occurs and the amount and sensitivity of the information you hold.

Research suggests that infrequent reviews of response plans are a significant impediment to the effectiveness of those plans.You should create and test your plan before a data breach occurs by, for example, responding to a hypothetical data breach, and regularly test it after implementation for effectiveness. It may be appropriate in some instances that a review of the plan coincide with the introduction of new products, services, system enhancements or such other events which involving the handling of personal information.

Make sure you and your staff are familiar with your data breach response plan and that it is easily accessible; this will help you respond quickly and appropriately.

An example of a data breach response plan you can refer to is the OAIC’s plan, available on the OAIC website. The OAIC is a small government agency and the scope and content of the plan reflects this. If you chose to adopt aspects of our plan you will need to adapt it to your own circumstances.

What should the plan cover?

The more comprehensive the plan, the more timely the ability to respond to a potential breach and mitigate any damage or harm to individuals who have had their personal data compromised.

Information which your plan should cover includes:

  • a strategy for assessing, managing and containing data breaches. This includes the steps and actions your staff, especially your response team, should take in the event of a breach or suspected breach. Specifically:
    • potential strategies for containing and remediating data breaches
    • ensuring you have the capability to implement those strategies as a matter of priority (e.g. having staff available to deal with the breach – see ‘Response team membership’ section below). Your plan should reflect the capabilities of your staff to adequately assess breaches and their impact, especially when breaches are not escalated to a response team
    • a clear and immediate communications strategy that allows for the prompt notification of affected individuals and other relevant entities. In particular:
      • who is responsible for implementing the communications strategy
      • determining how affected individuals will be contacted and managed
      • criteria for determining which external stakeholders should be contacted (for example, law enforcement and cyber security agencies, regulators (including the OAIC) and the media)
      • who is responsible for determining which external stakeholders should be contacted
      • who is responsible for liaising with those external stakeholders?
    • The plan should also clearly identify those actions that are legislative or contractual requirements
  • a clear explanation of what constitutes a data breach, so that staff are able to identify one should a breach occur (see ‘What is a data breach?’ section above). You may also want to include potential examples of a data breach which are tailored to reflect your business activities
  • the reporting line if staff do suspect a data breach, including who needs to be informed immediately
  • the circumstances in which the breach can be handled by a line manager, or when it should be escalated to the response team. This could include consideration of the following questions:
    • are multiple individuals affected by the breach or suspected breach?
    • is there (now or potentially in the future) a real risk of serious harm to the affected individual(s)?
    • does the breach or suspected breach indicate a systemic problem with your practices or procedures?
    • other issues relevant to your circumstances, such as the value of the data to you or issues of reputational risk
  • who is responsible for deciding whether the breach should be escalated to the response team? One option is to have each senior manager responsible for deciding whether to escalate matters relevant to their area. The other option is to have a dedicated role, such as the privacy contact officer
  • recording data breaches. You should consider how to record data breaches, including those that are not escalated to the response team
  • a strategy to identify and address any weaknesses in data handling that contributed to the breach
  • a system for a post-breach review and assessment of your entity’s response to the data breach and the effectiveness of your data breach response plan.

Response team membership

The purpose of having a response team is to ensure that the relevant staff, roles and responsibilities are identified and documented before the data breach happens. Time can be lost if you do not consider how to create a response team until the breach has already occurred.

The make-up of your response team will depend on your business and the nature of the breach. Different skill sets and staff may be needed to respond to one breach compared to another. Depending on the size of your entity and the nature of the breach, you may need to include external experts in your team, for example for legal advice, data forensics and media management. You should identify the type of expertise you may need and ensure that that expertise will be available on short notice.

You should keep a current list of team members which clearly articulates their roles, responsibilities and authorities as well as their contact details (possibly attached to the plan). You should ensure contact lists remain updated, particularly in the event of organisational changes. Each role on the team should have a second contact point in case the first is not available. You may wish to consider creating a core team and adding other members as required.

Typical team roles and skills might include:

  • a team leader — to lead the team and manage reporting to senior management
  • a project manager — to coordinate the team and provide support to its members
  • a senior member of staff with overall accountability for privacy and/or key privacy officer — to bring privacy expertise to the team
  • legal support — to identify legal obligations and provide advice
  • risk management support — to assess the risks from the breach
  • ICT support/forensics support — particularly if the breach requires investigation of ICT systems
  • information and records management expertise – to assist in reviewing security and monitoring controls related to the breach (for example, access, authentication, encryption, audit logs) and to provide advice on recording the response to the data breach
  • HR support — if the breach was due to the actions of a staff member
  • media/communications expertise — to assist in communicating with affected individuals and dealing with the media and external stakeholders.

If you hold an insurance policy for data breaches, that insurer may have a pre-established panel of external service providers in many of the roles listed above. You may want to consult with your insurer as to the identity of that panel so they can be included in any response team. Alternatively, the insurer may have a hotline available to assist in the event of a data breach, and that could be noted in the response plan.

How the response team is reflected in your response plan will depend on your circumstances. For example, the escalation of management of a data breach to a response team may not occur in smaller entities. Depending on the size of your entity or the size of the breach, a single person may perform multiple roles. In smaller entities the owner/principal of the entity could potentially be the person who needs to respond to and act on that breach.

It is important that the response team has the authority to take the necessary steps in the event of a breach without the need to seek permissions particularly in time critical scenarios. You will need to carefully consider who will be the team leader. The role must be of sufficient seniority/authority to effectively manage other parts of the business whose input is required and to report to senior management. It may be your senior member of staff with overall accountability for privacy, a senior lawyer (if you have an internal legal function) or another senior manager. If the breach is serious, it may be a senior executive.

Actions the response team should take

A data breach response plan should also set out (or refer to) the actions the response team is expected to take when a data breach is discovered. The OAIC suggests these four steps be followed:

  1. contain the breach and do a preliminary assessment
  2. evaluate the risks associated with the breach
  3. notification
  4. prevent future breaches.

These steps and suggested courses of action are set out in more detail in the OAIC’s Data breach notification guide: A guide to handling personal information security breaches. When developing the actions your response team will take, you could use or adapt our suggestions or seek out other resources. Any response plan will need to be tailored and developed for your own circumstances.

You will need to consider what information needs to be reported to senior management during the course of your investigations and at what point. This reporting structure should form part of your plan.

The data breach response plan should outline how staff will record the identification and response to a data breach. Keeping records on your privacy breaches will assist you to deal with the data breach itself, and also help prevent future breaches by identifying risks and issues.

It is also best practice to notify the OAIC when you have a data breach and there is a real risk of serious harm to the affected individuals. You can report a data breach to the OAIC via email ( or telephone (1300 363 992).

Other considerations

In developing your plan you could also consider:

  • when and how the response team could practice a response to a breach in order to test procedures and refine them
  • whether your plan for dealing with personal information data breaches could link into or be incorporated into already existing processes, such as a disaster recovery plan, an cyber security/ICT incident response plan, a crisis management plan or an existing data breach response plan involving other types of information (e.g. commercially confidential information)
  • whether senior management should be directly involved in the planning for dealing with data breaches and in responding to serious data breaches
  • whether you have an insurance policy for data breaches that includes steps you must follow.

Appendix — data breach response plan quick checklist

Use this list to check whether your response plan addresses relevant issues.


Yes/no Comments
How is a data breach identified?    
Do your staff know what to do if they suspect a data breach has occurred?    
Who is ultimately responsible for your entity’s handling of a data breach in accordance with the plan?    
Who is on your response team?    
Do you need to include external expertise in your response team, for example data forensics experts, privacy experts etc?    
Do they know their roles and what to do?    
Have you set up clear reporting lines?    
When do you notify individuals affected by a data breach?    
Have you considered in what circumstances law enforcement or regulators (such as the OAIC) may need to be contacted?    
Do you have an agreed approach to responding to media inquiries, including

  • pro-active or reactive strategies?
  • agreed spokesperson?
What records will be kept of the breach and your management of it?    
Does your plan refer to any strategies for identifying and addressing any weaknesses in data handling that contributed to the breach?    
Are there any matters specific to your circumstances, for example:

  • do you have insurance policies that may apply?
  • how will you keep your staff informed?
How frequently is your plan tested and reviewed and who is responsible for doing so?    
Is there a system for a post-breach review and assessment of your entity’s response to the data breach and the effectiveness of your data breach response plan?    

To highlight how prevalent data breaches are and the consequences a few very recent examples:

  • The Pain treatment centre of America notified 19,397 patients about a breach (described as incident)
  • 700 people who sought accomodation through the University of Prince Edward Island have had their personal information leaked in March which resulted in an embarrassing story on CBC News

One Response to “Attorney General publishes submissions to draft Mandatory Data Breach Bill and Privacy Commissioner releases Guide to developing Data Breach response plan”

  1. Attorney General publishes submissions to draft Mandatory Data Breach Bill and Privacy Commissioner releases Guide to developing Data Breach response plan | Australian Law Blogs

    […] Attorney General publishes submissions to draft Mandatory Data Breach Bill and Privacy Commissioner … […]

Leave a Reply

Verified by MonsterInsights