Responding to data breaches
Data breaches happen. They can happen because of poor policies and training, a misunderstanding of the law, a malicious act, a technical problem or human frailty. The potential for a data breach to occur can be reduced by good policies and practices in handling of personal information and ongoing training of staff in their responsibilities under the Privacy and Data Protection Act 2014 (Vic) (PDP Act).
Examples of data breaches include:
- When an employee takes paper records, an unencrypted USB stick or laptop out of the office and the information is lost or stolen.
- When an organisation mistakenly provides personal information to the wrong person.
- When an organisation’s database is illegally accessed by staff members or by individuals outside of the organisation.
- When an organisation experiences a privacy breach, we recommend that they act quickly to investigate and understand the incident, and take appropriate steps to manage any potential consequences for affected individuals.
What to do when you have a data breach
There are four key steps to shape your response to a data breach (or suspected breach):
- Contain the breach and conduct a preliminary assessment
- Evaluate the risks associated with the breach
- Remediate and notify (and other steps to mitigate harm)
- Review the cause of the breach and your organisation’s response and take steps to improve practices and lessen the likelihood of future breaches.
When notified of a suspected breach take each situation seriously and immediately investigate.
View OVIC’s guide, Managing the privacy impacts of a data breach. If you would like to notify OVIC of the breach, please complete our data breach reporting form and send it to firstname.lastname@example.org.
The Office of the Australian Information Commissioner also has some helpful information on breach management here.
You can also contact us for guidance on breach management.
Reporting a data breach
This may be followed by ongoing liaison in relation to management of the breach whilst organisations may also wish to submit a report after the matter has concluded in order to receive written feedback from us.
It’s fine if you don’t have all the details yet, but when you contact us we’ll likely ask you for some information about the breach:
- Some details about what has happened, the kind of information that was exposed, and the people that have been affected.
- Information about what your organisation is doing to manage the breach, including whether the breach has been contained and/or the information recovered, and whether you are planning on contacting the affected individuals.
- The contact person within your organisation to whom we can refer enquiries from the public relating to the breach.