The new Notifiable Data Breach laws come into effect on 22 February. Outlined below are some tips to help get you up to speed.
1. Are you complying with your current obligations as set out in the Australian Privacy Principles (APPs)?
The APPs are:
APP 1 – open and transparent management of personal information
APP 2 – anonymity and pseudonymity
APP 3 – collection of solicited personal information
APP 4 – dealing with unsolicited personal information
APP 5 – notification of the collection of personal information
APP 6 – use or disclosure of personal information
APP 7 – direct marketing
APP 8 – cross-border disclosure of personal information
APP 9 – adoption, use or disclosure of government related identifiers
APP 10 – quality of personal information
APP 11 – security of personal information
APP 12 – access to personal information
APP 13 – correction of personal information
- Do you do what it says?
Does it say what you do?
- Align what is said and done to the APP obligations above.
3. Assemble your breach team
- Who in your organisation is responsible for privacy?
- When a crisis hits does everyone know their role and responsibilities?
4. Create an incident assessment plan
Create an incident assessment plan to meet the 30-day legal obligation once a “suspected breach” has occurred.
- How are incidents logged?
- Who leads investigations?
- What are reporting times and format?
- Who makes the assessment?
- Do you need external input/sign off?
Once the incident is assessed make a decision – is notification required?
5. Prepare to notify
If the assessment results in finding an eligible breach has occurred then you need to move to notify the regulator and affected individuals:
- Where is the breach response plan?
- What pre-planned steps are in place? eg. communication channels, messaging to different stakeholders, microsites and basic FAQs.
- Assemble the team and execute the plan.
Our data and privacy team can assist you with advice and necessary documentation for all of the above steps.
Author: Lyn Nicholson
Lyn Nicholson, General Counsel
T: +61 2 8083 0463
Dan Pearce, Partner
T: +61 3 9321 9840
Trent Taylor, Partner
T: +61 7 3135 0668
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.