Publication date: November 2021
This data breach response plan (response plan) sets out procedures and clear lines of authority for OAIC staff in the event the OAIC experiences a data breach (or suspects that a data breach has occurred).
A data breach occurs when personal information is accessed or disclosed without authorisation or lost.
Under the Notifiable Data Breaches (NDB) scheme the OAIC must notify affected individuals and the OAIC (as regulator) when a data breach is likely to result in serious harm to an individual whose personal information is involved.
For good privacy practice purposes, this response plan covers any instances of unauthorised use, modification, interference with or loss of personal information held by the OAIC. Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals and entities.
This response plan is intended to enable the OAIC to contain, assess and respond to data breaches quickly, to help mitigate potential harm to affected individuals and to comply with the NDB scheme. Our actions in the first 24 hours after discovering a data breach are crucial to the success of our response.
The plan sets out:
- contact details for the appropriate staff in the event of a data breach,
- clarifies the roles and responsibilities of staff, and
- documents processes to assist the OAIC to respond to a data breach.
Responding to a data breach
There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action. Depending on the nature of the breach, the response team may need to include additional staff or external experts, for example an IT specialist/data forensics expert or a human resources adviser.
When responding to a data breach officers should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession. At all times, officers should consider what remedial action can be taken to reduce any potential harm to individuals.
Officers should refer to the checklist below and to the OAIC’s Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth),which provides further detail on each step.
Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.
1. Identify the breach
A suspected data breach may be discovered by and OAIC staff member or contractor or the OAIC may be otherwise alerted (for example, by a member of the public or the media).
If you become aware of, or are notified of a data breach, immediately notify your EL2 Director of the suspected data breach. A data breach suspected by a member of the Executive or a Director may be reported directly to the Chief Privacy Officer.
Record and advise your Director of the following:
- the time and date the suspected breach was discovered,
- the type of personal information involved,
- the cause and extent of the breach, and
- the context of the affected information and the breach.
2. Contain the breach and notify the Chief Privacy Officer (Director)
The EL2 Director should seek to understand, assess and contain the breach. As soon the Director is made aware of the breach or suspected breach, the Director should seek all the facts to enable an initial assessment of whether a data breach has or may have occurred and the seriousness of the data breach or suspected data breach. This should be done within the first hour of being so made aware.
The Director should co-ordinate any immediate action required to contain the breach. Depending on the breach, this may include contacting incorrect recipients requesting them to delete the email or requesting information be removed from a website.
The EL2 Director should notify the Chief Privacy Officer about the data breach, ideally by phone in the first instance, and then a follow-up email as soon as reasonably practicable after co-ordinating any immediate action. Notification must occur however within the same working day as being made aware of the breach and co-ordinating immediate action. Notification to the Chief Privacy Officer should include the provision of the following information:
- the information provided by the OAIC officer in identifying the data breach,
- a description of the breach or suspected breach,
- the action taken by the Director or OAIC officer to address the breach or suspected breach,
- the outcome of that action,
- a view as to the seriousness of the breach, and
- a view as to whether any further action is required.
3. Assess the risks for individuals associated with the breach and make a record (Chief Privacy Officer)
Assessment by the Chief Privacy Officer
It is the Chief Privacy Officer’s role to determine whether the breach constitutes a Notifiable Data Breach. The Chief Privacy Officer should initially assess the data breach, which may involve asking for further information or documentation from the EL2 Director who reported the breach or the OAIC officer who identified the breach.
Collection of the following information about the breach should form part of that assessment by the Chief Privacy Officer:
- the date, time, duration, and location of the breach
- the type of personal information involved in the breach
- how the breach was discovered and by whom
- the cause and extent of the breach
- a list of the affected individuals, or possible affected individuals
- the risk of serious harm to the affected individuals
- the risk of other harms.
Following that assessment, the Chief Privacy Officer must decide whether any further action is required to contain the breach, including but not limited to the following:
- recommending to IT to implement the ICT Incident Response Plan if necessary
- alerting building security if necessary
- advising TRIM/Resolve systems administrator .
The Chief Privacy Officer co-ordinates the record keeping for each data breach in the OAIC Data Breach Incident Log in Content Manager and documents are stored in the Content Manager container ‘Data Breach Response – reports and investigation of data breaches within the OAIC’.
Information about every data breach will be recorded in the Data Breach Incident Log, regardless of whether the Data Breach Response team is convened or the breach amounts to a Notifiable Data Breach. The Log must include the reasons why the Chief Privacy Officer did or did not convene the response team or classify the matter as a Notifiable Data Breach, with links to the relevant decision documents.
Informing the Executive
The Chief Privacy Officer must inform the OAIC Executive as soon as possible after being made aware of a suspected or actual data breach and must provide ongoing updates on key developments. Those updates to Executive may be daily or weekly depending on the nature and severity of the data breach, and how quickly any remedial action can be taken and resolved. The frequency of reporting will be ascertained on a case-to-case basis.
The Assistant Commissioner, Corporate and the Deputy Commissioner must be informed on every occasion of an actual or suspected data breach. Other Executive members are to be relevantly informed on a case-to-case basis. This means if the incident arose from the conduct of Dispute Resolution (Privacy) staff, the Chief Privacy Officer would be required to (additionally) inform the Assistant Commissioner (Dispute Resolution, Privacy). If the incident arose from the conduct of Regulation & Strategy staff, the Chief Privacy Officer would be required to (additionally) inform the Assistant Commissioner (Regulation & Strategy). The Chief Privacy Officer is required to inform the Australian Information Commissioner directly in the event the matter triggers the formation of the data breach response team.
4. Consider breach notification and calling data breach response team
Chief Privacy Officer to use discretion in deciding whether to escalate to the response team
On each occasion of a data breach, the Chief Privacy Office must consider whether to convene the Data Breach Response Team (response team).
Some data breaches may be comparatively minor, and able to be dealt with easily without action from response team.
For example, an OAIC officer may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be successfully recalled (only relates to internal emails), or if the officer can contact the recipient and obtain an assurance that the recipient has deleted the email, it may be that there is no utility in escalating the issue to the response team.
The Chief Privacy Officer should use their discretion in determining whether a data breach or suspected data breach requires escalation to the response team. The decision to escalate to the response team should be made immediately following the Chief Privacy Officer’s assessment about the data breach after discussions with the relevant Director and the collation of relevant material.
In making that decision the Chief Privacy Officer should consider the following questions:
- Are multiple individuals affected by the breach or suspected breach?
- Is there (or may there be) a real risk of serious harm to any of the affected individual(s)?
- Does the breach or suspected breach indicate a systemic problem in OAIC processes or procedures?
- Could there be media or stakeholder attention as a result of the breach or suspected breach?
Once the Chief Privacy Officer decides that a data breach or suspected data breach requires escalation to the response team, they should co-ordinate the convening of the response team, ideally on the same working day. The response team should be convened with members meeting in person or via secure teleconference facilities.
The checklist below sets out the steps that the response team will take:
- conduct initial investigation, and collect information about the breach promptly
- determine whether the context of the information is important
- establish the cause and extent of the breach
- assess priorities and risks based on what is known
- determine who needs to be made aware of the breach (internally, and potentially externally) at this preliminary stage.
Consider whether the breach is an eligible data breach under the NDB scheme
It is the Chief Privacy Officer’s role to determine whether the breach constitutes a notifiable data breach. This decision may be informed by the views of the response team. If the Chief Privacy Officer determines that the data breach is an eligible data breach, they and the response team must co-ordinate notifications required under the NDB scheme. If there are reasonable grounds to believe an eligible data breach has occurred, the OAIC must promptly notify any individual at risk of serious harm and notify the AIC using the NDB form on the OAIC’s website.
An eligible data breach occurs when the following criteria are met:
- There is unauthorised access to or disclosure of personal information held by an organisation or agency (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
- This is likely to result in serious harm to any of the individuals to whom the information relates.
- The organisation or agency has been unable to prevent the likely risk of serious harm with remedial action.
Consider whether others should be notified
The Chief Privacy Officer and/or response team should consider whether others should be notified, including:
- the Australian Cyber Security Centre (ACSC), police/law enforcement, or
- other agencies or organisations that:
- may be affected by the breach, or
- can assist in containing the breach, or
- can assist individuals affected by breach, or
- where the OAIC is contractually required or required under the terms of an MOU or similar obligation to notify specific parties.
5. Review the incident and take action to prevent future breaches
Following data breaches, in cases where the Chief Privacy Officer has not convened the response team, they together with the relevant Assistant Commissioner and Director will undertake a post breach review and draft a report outlining the cause of the breach, implementing any strategies to identify and address any weaknesses in data handling that may have contributed to the breach, and making appropriate changes to policies and procedures if necessary.
In cases where the Chief Privacy Officer has convened the response team, the response team should conduct a post-breach review (and draft a report) assessing the OAIC’s response to the breach and the effectiveness of this data breach response plan. The review should consider:
- the full investigation of the cause of the breach
- implementing a strategy to identify and address any weaknesses in data handling that contributed to the breach
- updating data breach response plan if necessary
- making appropriate changes to policies and procedures if necessary
- revising staff training practices if necessary
- considering the option of an audit to ensure necessary outcomes are affected
- considering whether the response team needs other expertise
- the preservation of evidence to determine the cause of the breach or allowing the OAIC to take appropriate corrective action
- a communications or media strategy to manage public expectations and media interest.
The post-breach review report to be drafted by response team members should outline the above considerations, identify any weaknesses in this data breach response plan and include recommendations for revisions or staff training as needed. As part of the review the response team should refer to the OAIC’s Guide to securing personal information.
The response team should also consider the following documents where applicable:
- OAIC Business Continuity plan
- ICT Incident Response plan
- ICT Disaster recovery plan.
The response team should report the results of the post-breach review (and hand up the post-breach review report) to the OAIC’s Executive members at the OAIC’s fortnightly Operations Committee meeting.
Testing this plan
Members of the response team should test this plan with a hypothetical data breach at least annually to ensure that it is effective. As with the post-breach review following an actual data breach, the response team must report to the OAIC Executive on the outcome of the test(s) and make any recommendations for improving the data breach response plan.
Documents created by the response team, including post-breach and testing reviews, should be saved in the following TRIM container:
- Data Breach Response – reports and investigation of data breaches within the OAIC
The OAIC’s privacy management plan states that the internal handling of personal information will be an agenda item on the Executive group meetings at least once each quarter and include a report of any privacy complaints against the OAIC and internal data breaches.
The Assistant Commissioner, Corporate should liaise with the Chief Privacy Officer on the preparation of quarterly reports on internal data breaches.
OAIC’s Data Breach Response Check List
Step 1: Identify the breach (OAIC officer)
Record and advise your Director of the following:
- the time and date the suspected breach was discovered
- the type of personal information involved
- the type of personal information involved
- the context of the affected information and the breach.
Step 1: Contain the breach (EL2 Director)
- Understand and assess the data breach, or suspected data breach.
- Co-ordinate any action required to contain the data breach.
- Notify the Chief Privacy Officer about the data breach.
Step 2: Assess the risks for individuals associated with the breach (Chief Privacy Officer)
- Conduct initial investigation to establish the cause and extent of the breach.
- Assess priorities and risks based on what is known.
- Notify OAIC Executive about the data breach.
- Keep appropriate records of the suspected breach including any action taken.
Step 3: Consider breach notification and convene response team
- Determine who needs to be made aware of the breach at this preliminary stage.
- Determine whether and how to notify affected individuals.
- Determine whether to escalate the data breach to the response team.
- Convene the response team, if necessary.
- Determine whether the breach is an eligible data breach under the NDB scheme.
- Notify the AIC of the NDB, if necessary.
Step 4: Review the incident and take action to prevent future breaches
- Fully investigate the cause of the breach.
- Implement a strategy to identify and address any weaknesses in OAIC data handling.
- Conduct a post-breach review and report to OAIC Executive on outcomes and recommendations.