top of page

DATA BREACH RESPONSE PLAN

Introduction

The Notifiable Data Breaches (NDB) Scheme in Part IIIC of the Privacy Act, 1988 (Cth) requires DACA to notify affected individuals and the Privacy Commissioner about ‘eligible data breaches’. 

 

An ‘eligible data breach’ occurs when the following criteria are met

  • There is unauthorised access to, or disclosure of, Personal Information (PI) held by DACA (or information is lost in circumstances where unauthorised access or disclosure is likely to occur)

  • This is likely to result in serious harm to any of the individuals to whom the information relates

  • The entity has been unable to prevent the likely risk of serious harm with remedial action.

 

What is a Data Breach

A data breach occurs when PI that DACA holds is subject to unauthorised access or disclosure, or is lost.

 

There are three principle mechanisms whereby a data breach can occur

  • loss or theft of DACA IT devices (such as laptops and storage devices) or paper records that contain PI

  • unauthorised access to PI by a third party (ICT system compromise / hack / breach)

  • inadvertent disclosure of PI due to ‘human error’, for example an email sent to the wrong person.

 

Data Breach Response Plan

This Plan documents the actions to be taken by the DACA management team and its’ employees in the event of a data breach or suspected data breach, including

  • Response Team membership

  • Contractual obligations

  • Internal communication channels

  • Documentation

  • Containment / remediation roles and responsibilities 

  • Notification of affected individuals and relevant authorities 

  • Post incident review.

 

Response Team

The DACA Incident Response Team, consisting of  the DACA Directors, will manage all security and privacy incidents.

 

Additional forensics expertise will be contracted in to fully investigate any notifiable data breach and security incident.

Contractual Obligations.

Contracts with the following entities  place obligations on DACA in relation to the protection of PI and reporting of any data breaches

  • Galexia

  • Department of Health (Aged Care Panel)

  • KPMG

  • National Music Academy (NMA).

 

Internal Communications

DACA is a micro-business, therefore  internal communication channels between DACA Directors are straightforward. All incidents or suspected incidents will be communicated to, and between, DACA Directors who will take the appropriate actions.

 

Documentation

DACA will maintain an Data Breach / Incident Register that will record 

  • When the breach was detected (or suspected) and  by whom

  • When the data breach actually occurred

  • Scope of the incident - what systems were affected, what documents/data were lost

  • What Data was compromised / lost

    • the number of people affected by the breach or suspected breach

    • whether there is a risk of serious harm to affected individuals now or in the future

    • the value of the data to DACA including issues of reputational risk

  • Whether the data breach or suspected data breach indicates a systemic problem with DACA’s practices or procedures

  • How the breach was contained and eradicated

  • Work performed or changes made to systems during recovery

  • Who advised regulators and affected users and when.

 

Containment / Remediation

Identify how the data was lost / compromised

  • loss or theft of a DACA ICT device

  • unauthorised access by a third party (ICT system compromise)

  • Human error resulting in inadvertent disclosure of PI

    • Determine who was responsible.

 

If the data breach is the result of the loss or theft of a DACA ICT device

  • Identify the device(s) and the PI data that was  stored on the them

    • If lost use best endeavours to locate the device and inform the police

    • If stolen - advise the police

  • Use the installed  antivirus  security package to lock the device (encrypt the data).

 

If the data breach is the result of a system compromise

  • Disconnect the DACA systems from the internet (iMac, Laptop, iPads, Mobile phones)

  • Disable remote access capability

  • Change access control credentials.

 

If the data breach was the result of human error

  • Identify who was responsible

  • Identify how the breach occurred

  • Identify who the data was sent to and contact them requesting them to delete the data from their systems.

 

Notifications

  • A DACA Director will notify both relevant regulators (OAIC, ACSC) and affected individuals within 24 hours of

    • confirming a data breach has occurred

    • determining what information has been lost 

    • determining whether the loss is likely to result in serious harm to any of the individuals

    • determining that DACA hasn’t been able to prevent the likely risk of serious harm with remedial action

  • Affected individuals will be contacted by telephone with a follow up email advising them that their PI has been lost and/or compromised

  • NSW Police will be notified in the event a device has been lost or stolen.

 

Post Incident Review

DACA will document

  • When the breach was detected and by whom

  • When did the breach actually occur

  • Scope of the incident/affected systems

  • Data that was put at-risk

  • How the breach was contained and eradicated

  • Work performed or changes made to systems during recovery

  • Areas where the response plan was effective

  • Areas that need improvement.

 

Resources

https://www.shearwater.com.au/category/notifiable-data-breach/

https://www.securitymetrics.com/learn/how-to-effectively-manage-a-data-breach

https://thedataist.com/how-to-manage-a-data-breach-incident/

 
 
bottom of page