The best way to manage a privacy incident or breach is to have a tested privacy incident response plan.
If you’re managing an active breach, use NotifyUs, the Office of the Privacy Commissioner’s (OPC) online tool to work out if a breach is notifiable and needs to be reported it to them.
If an agency has a privacy breach that’s likely to cause anyone serious harm, it’s legally required to notify OPC and any affected people as soon as practicable.
An incident response plan needs to provide the agency with all the information required to respond to a privacy incident effectively and in a timely manner.
It’s best practice for an agency’s privacy incident response plan to be linked to its business continuity plan.
How to respond to an active privacy breach
Follow the OPC’s guidance on how to manage an active privacy breach.
An incident response plan will vary depending on the size of the agency and the volume and type of personal information it holds.
Keep it concise and accessible
An incident response plan should be in a format that is easy to read and easy to follow. An incident response plan needs include details but also needs to be flexible so it can be applied to different incidents.
Involve a range of business groups
It’s recommended that a range of business groups contribute to the completion of the incident response plan, including:
information security
risk and assurance
ICT
communications
legal
service delivery/operations
senior leadership team.
To ensure effective leadership and governance, the incident response plan should be reviewed and approved by the senior leadership team.
Assign roles and responsibilities
It’s important that an incident response plan clearly sets out the roles and responsibilities of those involved in the incident response. These roles and responsibilities will vary from agency to agency.
The incident response plan should clarify the responsibilities between the Chief Security Office (CSO), Chief Information Officer (CIO), and Chief Privacy Officer (CPO), depending on the nature of the incident. A security breach of unauthorised access may need to be managed differently than a privacy breach of accidental disclosure.
The plan should also clarify who will be responsible for assessing if the breach reaches the level of serious harm and requires notification to the Office of the Privacy Commissioner, including who will input information into their online breach reporting tool NotifyUs.
In the event of an incident or breach, it’s important to understand who is responsible for contacting whom to ensure the incident response progresses effectively and in a timely manner. A communication tree is a useful tool for gathering and collating this information.
A communication tree should include contact information for:
key individuals involved in incident response
staff
third party providers
companies and agencies who can assist with the response
Office of the Privacy Commissioner
Government Chief Privacy Officer.
The communication tree should be regularly updated and tested to ensure it operates effectively.
Questions to ask when developing your plan
This section is designed to be used in conjunction with the OPC’s guidance on how to respond to privacy breaches.
There are 4 steps when managing with a privacy breach. The same process is undertaken in response to privacy incidents, though it’s unlikely an agency would be required to notify in the event of an incident.
1. Contain and assess
Once a privacy breach is discovered it needs to be contained and assessed immediately.
Questions to ask:
Is the first step of your plan to contain the breach as soon as it has been identified?
Does your plan have clear instructions regarding who staff should contact to conduct an initial investigation and make containment recommendations?
Is it clear within your plan when to escalate the incident and invoke the response plan?
Does your plan clearly set out who needs to be informed in the event of an incident and when the incident needs to be reported to the Police?
Does your plan advise the individuals responding to the incident to be careful not to destroy any evidence?
2. Evaluate the risks
Once the privacy breach has been contained, an agency will need to assess the risks associated with the breach.
Questions to ask:
Does your plan include a process for evaluating the risks associated with the privacy breach?
Does your plan include, or link to, a risk matrix so you can understand the possible consequences and the likelihood of each risk occurring?
Does your plan include severity ratings and escalation triggers?
The following questions may assist with evaluating the risk:
Have you identified the types of personal information involved?
Do you know what the personal information might reveal?
Do you know whether the personal information is easy to access?
Have you established the cause of the breach?
Do you know the extent of the breach?
Have you identified potential harms resulting from the breach?
Do you know who holds the information now?
3. Notify if necessary
It’s important for an agency to be open and transparent with individuals about how it’s handling their personal information.
In the event of a privacy breach, an agency needs to consider each incident on a case-by-case basis whether to notify affected individuals or not. If there is a risk of harm, an agency should usually notify them, allowing them to take steps to protect themselves and regain control of their information as soon as possible.
If an agency has a privacy breach that’s likely to cause anyone serious harm, it’s legally required to notify OPC and any affected persons as soon as practicable.
Does your plan include a process for establishing whether you should notify affected individuals and/or the OPC? Each incident needs to be considered on a case-by-case basis, but factors to consider include:
the risk of harm to people affected
whether there’s a risk of identity theft or fraud
whether there’s there a risk of physical harm
whether there’s a risk of humiliation, loss of dignity, or damage to the person’s reputation or relationships (for example; if the lost information includes mental health, medical, or disciplinary records).
what affected people can do to avoid or minimise possible harm, for example, change a password
whether you have any legal or contractual obligations
Does your plan account for the mandatory breach notification provisions included in the Privacy Act?
Does your plan include a process for how you will notify individuals (for example, by phone, letter, or email)?
Does your plan set out the high-level content that needs to be included in the breach notification?
Does your plan provide a process for engaging with third parties (for example, Police, insurers, relevant minister(s))?
Does your plan include a communications plan that includes how to manage media and public enquiries?
4. Prevent a repeat
Following a privacy breach, an agency should take the time to investigate the cause of the breach and update their processes and practices where appropriate.
Questions to ask:
Does your plan include a process for subsequently reviewing the causes of the breach? This may include a:
security audit of both physical and technical security
review of your collection, storage, retention and disposal of personal information practices
review of policies and procedures
review of employee training practices
review of any third party providers involved in the breach.
