Responding to data breaches
Privacy breaches happen. They can happen because of poor policies and training, a misunderstanding of the law, a malicious act, a technical problem or human frailty. The potential for a privacy breach to occur can be reduced by good policies and practices in handling of personal information and ongoing training of staff in their responsibilities under the Privacy and Data Protection Act 2014 (Vic) (PDP Act).
Examples of data breaches include:
- When an employee takes paper records, an unencrypted USB stick or laptop out of the office and the information is lost or stolen.
- When an organisation mistakenly provides personal information to the wrong person.
- When an organisation’s database is illegally accessed by staff members or by individuals outside of the organisation.
- When an organisation experiences a privacy breach, we recommend that they act quickly to investigate and understand the incident, and take appropriate steps to manage any potential consequences for affected individuals.
Although it is not compulsory to report privacy breaches to us, we strongly encourage organisations to do so. This is primarily so that we can engage with organisations and assist them with their management of the incident, with a view towards minimising the risk of harm to affected individuals and identifying practical options for improving information handling practices going forward.
What to do when you have a privacy breach
There are four key steps to shape your response to a privacy breach (or suspected breach):
- Contain the breach and conduct a preliminary assessment
- Evaluate the risks associated with the breach
- Remediate and notify (and other steps to mitigate harm)
- Review the cause of the breach and your organisation’s response and take steps to improve practices and lessen the likelihood of future breaches.
When notified of a suspected breach take each situation seriously and immediately investigate. Undertake steps 1, 2 and 3 either simultaneously or in quick succession. Step 4 provides recommendations for longer-term solutions and prevention strategies.
The decision on how to respond should be made on a case-by-case basis. The speed and adequacy of an organisation’s response to a serious privacy breach may significantly reduce the cost to the organisation later, both financially and from potential loss of reputation.
The Office of the Australian Information Commissioner also has some helpful information on breach management here.
You can also contact us for guidance on breach management.
Reporting a privacy breach
You can notify us of a privacy breach in any way. There is no required form or format. Reporting can simply take the form of a phone call in the first instance in order to discuss what has occurred and the considerations that should be taken into account in dealing with the breach.
This may be followed by ongoing liaison in relation to management of the breach whilst organisations may also wish to submit a report after the matter has concluded in order to receive written feedback from us.
It’s fine if you don’t have all the details yet, but when you contact us we’ll likely ask you for some information about the breach:
- Some details about what has happened, the kind of information that was exposed, and the people that have been affected.
- Information about what your organisation is doing to manage the breach, including whether the breach has been contained and/or the information recovered, and whether you are planning on contacting the affected individuals.
- The contact person within your organisation to whom we can refer enquiries from the public relating to the breach.
After an initial discussion with us, you can also submit a report for feedback if you would like to review your organisation’s breach response.
Why should my organisation report a privacy breach?
Reporting a breach to us is voluntary but strongly recommended for a number of reasons:
- We can provide guidance to your organisation on how to best mitigate the risks from a data breach.
- Reporting allows us to respond more effectively to enquiries from individuals who may have been affected, and to refer enquiries relating to the incident to the relevant contact person within your organisation.
- We can provide some independent assurance about the appropriateness of your organisation’s response. However, it is important to note that we cannot provide a binding ruling to this effect, and our assessment of your response will not preclude an individual from making a privacy complaint to our office.
- In many cases, reporting is a ‘reasonable step’ to prevent misuse of personal information as required by Information Privacy Principle 4.
- We can assist your organisation to develop data breach response plans to help manage the risk of future breaches.
Where to get help
If your organisation has had a privacy breach, you can contact us for guidance on breach management.
Remember, you don’t have to wait for a privacy breach to contact us. We can assist your organisation with general guidance on the Information Privacy Principles and with the planning for projects that will potentially have privacy impacts.