Blog/News

Do you have a Data Breach Response Plan in place?

Friday May 4, 2018

Do you have a Data Breach Response Plan in place?

As of 22 February 2018 the Privacy Act 1988 (Act), which has been amended, now makes it compulsory for individuals and companies* to implement a Data Breach Response Plan when a data breach occurs.


The Act imposes harsh penalties, $360K for individuals and $1.8M for companies, for failing to comply with the Notifiable Data Breach (NDB) scheme.

The NDB scheme is meant to strengthen and protect personal information held by organisations. If a breach occurs organisations must inform the Office of the Australian Information Commissioner as well as all affected individuals.  

What is a data breach?

A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost. Examples of data breach include:

  • loss or theft of physical devices (such as laptops, phones and storage devices) or paper records that contain personal information;
  • unauthorised access to personal information by employees or former employees;
  • inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person;
  • disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.

Why do you need a Data Breach Response Plan?

A Data Breach Response Plan enables an entity to respond quickly to a data breach. By responding quickly, an entity can substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result. If the response plan was implemented properly, quickly and efficiently there may be, in some circumstances, an opportunity to forego individual notification.

What is a Data Breach Response Plan?

A Data Breach Response Plan is a framework that sets out the roles and responsibilities involved in managing a data breach. It also describes the steps an entity will take if a data breach occurs.

What should the plan cover?

The more comprehensive your Data Breach Response Plan is, the better prepared your entity will be to effectively reduce the risks and potential damage that can result.

For example, information that should be in a plan includes:

  • a clear explanation of what constitutes a data breach;
  • a strategy for containing, assessing and managing data breaches;
  • the roles and responsibilities of staff;
  • how your entity will record data breach incidents;
  • review: evaluate how a data breach occurred.

If you would like us to review or draft a Data Breach Response Plan for your organisation please do not hesitate to contact our office on 03 9550 4600.

*All businesses and NFPs with annual turnover of >$3M and, irrespective of turnover, all: private sector health service providers, traders in personal information, TFN recipients, personal information holders who undertake certain activities such as government contracts.