Data breach response plan

This data breach response plan (response plan) sets out procedures and lines of authority for OAIC staff in the event the OAIC experiences a data breach (or suspects that a data breach has occurred). A data breach occurs when personal information is accessed or disclosed without authorisation or lost.

Under the Notifiable Data Breaches (NDB) scheme the OAIC must notify affected individuals and the OAIC (as regulator) when it has reasonable grounds to believe that there has been an eligible data breach of the entity.

An eligible data breach occurs when the following criteria are met:

• There is unauthorised access to or disclosure of personal information held by an organisation or agency (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
• This is likely to result in serious harm to any of the individuals to whom the information relates.
• The organisation or agency has been unable to prevent the likely risk of serious harm with remedial action.

For good privacy practice purposes, this response plan is not restricted to eligible data breaches and covers any instances of unauthorised use, modification, interference with or loss of personal information held by the OAIC. Data breaches can be caused or exacerbated by a variety of factors, impact different types of personal information and give rise to a range of actual or potential harms to individuals and entities.

This response plan is intended to enable the OAIC to contain, assess and respond to data breaches quickly, to help mitigate potential harm to affected individuals and to comply with the NDB scheme. Our actions in the first 24 hours after discovering a data breach are crucial to the success of our response.

The plan:

• sets out contact details for the appropriate staff in the event of a data breach
• clarifies the roles and responsibilities of staff
• documents processes to assist the OAIC to respond to a data breach.

What is a data breach?

A data breach occurs when personal information is accessed or disclosed without authorisation or loss. A data breach may be on purpose or by accident. Examples include:

• a misdirected email
• a hack
• disclosure over the phone
• phishing attack.

How do we respond to a data breach?

There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action. Depending on the nature of the breach, the response team (in instances where it is necessary to convene the response team) may need to include additional staff or external experts, for example an IT specialist/data forensics expert or a human resources adviser.

When responding to a data breach officers should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession.

An assessment must be conducted expeditiously. Reasonable steps must be taken to conclude an assessment within 30 days.

At all times, officers should consider what remedial action can be taken to reduce any potential harm to individuals.

Officers should refer to the checklist below and to the  OAIC’s Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth),which provides further detail on each step.

Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.

1. Identify the breach

A suspected data breach may be discovered by an OAIC staff member or contractor or the OAIC may be otherwise alerted (eg. by a member of the public or the media).

If you become aware of, or are notified of a data breach, immediately notify your EL2 Director of the suspected data breach. A data breach suspected by a member of the Executive or a Director may be reported directly to the Chief Privacy Officer.

Record and advise your Director of the following:

• the time and date the suspected breach was discovered,
• the type of personal information involved,
• the cause and extent of the breach, and
• the context of the affected information and the breach.

2. Contain the breach and notify the Chief Privacy Officer (Director)

The EL2 Director should seek to understand, assess and contain the breach. As soon the Director is made aware of the breach or suspected breach, the Director should seek all the facts to enable an initial assessment of whether a data breach has or may have occurred and the seriousness of the data breach or suspected data breach. This should be done within the first hour of being so made aware. This may require engaging with the Department of Employment and Workplace Relations (DEWR), if it requires seeking out information in relation to the management of the OAIC’s IT systems. Engagement with DEWR should be conducted in consultation with Director, Corporate Services.

The Director should co-ordinate any immediate action required to contain the breach. Depending on the breach, this may include contacting incorrect recipients requesting them to delete the email or requesting information be removed from a website.

The EL2 Director should notify the Chief Privacy Officer about the data breach, ideally by phone in the first instance, and then a follow-up email as soon as reasonably practicable after co-ordinating any immediate action. Notification should occur within the same working day as being made aware of the breach and co-ordinating immediate action. Notification to the Chief Privacy Officer should include the provision of the following information:

• the information provided by the OAIC officer in identifying the data breach,
• a description of the breach or suspected breach,
• the action taken by the Director or OAIC officer to address the breach or suspected breach,
• the outcome of that action,
• a view as to the seriousness of the breach, and
• a view as to whether any further action is required.

3. Assess the risks for individuals associated with the breach and make a record (Chief Privacy Officer)

Assessment by the Chief Privacy Officer

It is the Chief Privacy Officer’s role to determine whether the breach constitutes an eligible data breach (notifiable data breach).  The Chief Privacy Officer should initially assess the data breach, which may involve asking for further information or documentation from the EL2 Director who reported the breach or the OAIC officer who identified the breach.

Collection of the following information about the breach should form part of that assessment by the Chief Privacy Officer:

• the date, time, duration, and location of the breach
• the type of personal information involved in the breach
• how the breach was discovered and by whom
• the cause and extent of the breach
• a list of the affected individuals, or possible affected individuals
• the risk of serious harm to the affected individuals
• the risk of other harms.

Following that assessment, the Chief Privacy Officer must decide whether any further action is required to contain the breach, including but not limited to the following:

• recommending to Chief Information Officer to implement the Cyber Security Incident Response Plan ICT Incident Response Plan if necessary
• alerting building security if necessary
• advising TRIM/Resolve systems administrator.

Record-Keeping

The Chief Privacy Officer co-ordinates the record keeping for each data breach in the OAIC Data Breach Incident Log ensuring this and any other relevant documentation is stored in the OAIC’s information management system.

Information about every data breach will be recorded in the Data Breach Incident Log, regardless of whether the Data Breach Response team is convened or the breach amounts to a notifiable data breach. The Log must include the reasons why the Chief Privacy Officer did or did not convene the response team or classify the matter as a Notifiable Data Breach, with links to the relevant decision documents.

Informing the Executive

The Chief Privacy Officer must inform the OAIC Executive as soon as possible after being made aware of a suspected or actual data breach which the Chief Privacy Officer initially assesses as a potential notifiable data breach, or the suspected or actual breach raises other significant issues, such as security or safety issues. The Chief Privacy Officer must in such cases, provide ongoing updates on key developments. Those updates to Executive may be daily or weekly depending on the nature and severity of the data breach, and how quickly any remedial action can be taken and resolved. The frequency of reporting will be ascertained on a case-to-case basis.

The General Manager, Enabling Services and Executive General Manager, Information Rights must be informed on every occasion of an actual or suspected data breach. Other Executive members are to be relevantly informed on a case-to-case basis. This means if the incident arose from the conduct of Regulatory Intelligence & Strategy staff, the Chief Privacy Officer would be required to (additionally) inform the General Manager, Regulatory Intelligence & Strategy. In some cases, the relevant Executive member may have already been notified by EL 2 Director. The Chief Privacy Officer is required to inform the Australian Information Commissioner directly in the event the matter triggers the formation of the data breach response team.

4. Consider breach notification and calling data breach response team

On each occasion of a data breach, the Chief Privacy Office must consider whether to convene the Data Breach Response Team (response team).

Some data breaches may be comparatively minor, and able to be dealt with easily without action from response team. The convening of the response team is generally restricted to instances where the Chief Privacy Officer suspects or is aware that the data breach concerned constitutes a notifiable data breach, or the data breach raises other significant issues, such as security or safety concerns.

For example, an OAIC officer may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be successfully recalled (only relates to internal emails), or if the officer can contact the recipient and obtain an assurance that the recipient has deleted the email, it may be that there is no utility in escalating the issue to the response team.

The Chief Privacy Officer should use their discretion in determining whether a data breach or suspected data breach requires escalation to the response team. The decision to escalate to the response team should be made immediately following the Chief Privacy Officer’s assessment about the data breach after discussions with the relevant Director and the collation of relevant material.

In making that decision the Chief Privacy Officer should consider the following questions:

• Are multiple individuals affected by the breach or suspected breach?
• Is there (or may there be) a real risk of serious harm to any of the affected individual(s)?
• Does the breach or suspected breach indicate a systemic problem in OAIC processes or procedures?
• Could there be media or stakeholder attention because of the breach or suspected breach?

Once the Chief Privacy Officer decides that a data breach or suspected data breach requires escalation to the response team, they should co-ordinate the convening of the response team, ideally on the same working day. The response team should be convened with members meeting in person or via secure teleconference facilities. At that initial convening, the data response team must:

• Assess priorities and risks based on what is known.
• Establish an initial investigation plan, which aims to:
  • collect information about the breach promptly
  • establish the cause and extent of the breach, if unknown
• Determine who needs to be made aware of the breach (internally, and potentially externally) at this preliminary stage.

The OAIC will generally have the capacity to undertake the steps outlined in this data breach response plan. However, in circumstances where it is unable to do so it may be necessary to engage an external provider to investigate a suspected data breach.

In these circumstances the OAIC may engage an external provider such as:

• external investigators
• specialised law firms
• cyber security consultants

It is the Chief Privacy Officer’s role to determine whether the breach constitutes a notifiable data breach.  This decision may be informed by the views of the response team. If the Chief Privacy Officer determines that the data breach is an eligible data breach, they and the response team must co-ordinate notifications required under the NDB scheme. If there are reasonable grounds to believe an eligible data breach has occurred, the OAIC must promptly notify any individual at risk of serious harm and notify the Australian Information Commissioner using the NDB form on the OAIC’s website.

The Chief Privacy Officer and/or response team should consider whether others should be notified, including:

• the Australian Cyber Security Centre (ACSC), police/law enforcement
• other agencies or organisations that:
  • may be affected by the breach
  • can assist in containing the breach
  • can assist individuals affected by breach
• where the OAIC is contractually required or required under the terms of an MOU or similar obligation to notify specific parties
• affected individuals
• Comcover

5. Review the incident and take action to prevent future breaches

Following data breaches, in cases where the response team has not been convened or the data breaches do not constitute eligible data breaches, the Chief Privacy Officer together with the relevant General Manager and Director will undertake a post-breach review and may in cases where the breach is not minor or trivial, and depending on issues arising from that post-breach assessment, draft a report outlining the cause of the breach, implementing any strategies to identify and address any weaknesses in data handling that may have contributed to the breach, and making appropriate changes to policies and procedures if necessary.

In cases where the Chief Privacy Officer has convened the response team, the response team should conduct a post-breach review within 3 months of the initial convening of the response team (and draft a report) assessing the OAIC’s overall management of the data breach and the effectiveness of this data breach response plan. The review should, if necessary:

• identify the root cause(s) of the breach
• identify what systems or procedures were involved
• review and apply ‘lessons learned’ from the data breach and the OAIC’s response to, and management of, the data breach, including:
• design and implement a strategy to identify and address any weaknesses in data handling, including systems and procedures, that contributed to the breach
• Identify any necessary revision of staff training practices
• identify any weaknesses in the data breach response plan, including whether the response team needs other expertise to improve management of data breach incidents
• identify any necessary changes to policies and procedures
• implement a communications or media strategy to manage public expectations and media interest.

The post-breach review report to be drafted by response team members should outline the above considerations, identify any weaknesses in this data breach response plan and include recommendations for revisions or staff training as needed. As part of the review the response team should refer to the OAIC’s Guide to securing personal information.

The response team should also consider the following documents where applicable, identifying any weaknesses in the documented processes or procedures under those plans and making recommendations for revisions where relevant:

• OAIC Business Continuity Plan
• ICT Incident Response Plan
• ICT Disaster recovery plan

The response team should report the results of the post-breach review (and hand up the post-breach review report) to the OAIC’s executive members at the OAIC’s monthly Governance Board meeting.

Members of the response team should test the data breach response plan with a hypothetical data breach at least annually to ensure that it is effective. As with the post-breach review following an actual data breach, the response team must report to the OAIC Executive on the outcome of the test(s) and make any recommendations for improving the data breach response plan.

Documents created by the response team, including post-breach and testing reviews, should be saved in the following Content Manager container:

• Data Breach Response – reports and investigation of data breaches within the OAIC.

The OAIC’s privacy management plan states that the internal handling of personal information will be an agenda item on the former Executive Management Committee meetings at least once each quarter (now the OAIC Governance Board) and include a report of any privacy complaints against the OAIC and internal data breaches.

6. OAIC’s Data Breach Response Check List

Record and advise your Director of the following:

• the time and date the suspected breach was discovered,
• the type of personal information involved,
• the cause and extent of the breach, and
• the context of the affected information and the breach.

• Understand and assess the data breach, or suspected data breach
• Co-ordinate any action required to contain the data breach
• Notify the Chief Privacy Officer about the data breach.

• Conduct initial assessment to establish the cause and extent of the breach, and reach a preliminary conclusion on whether the data breach is notifiable.
• Assess priorities and risks based on what is known.
• Notify OAIC Executive about the data breach in cases where notifiable data breach is suspected or known, or where the breach raises other concerns, such as security or safety issues.
• Keep appropriate records of the suspected or actual breach including any action taken.

• Determine who needs to be made aware of the breach at this preliminary stage.
• Determine whether and how to notify affected individuals.
• Determine whether to escalate the data breach to the response team.
• Convene the response team, if necessary.
• Determine whether the breach is an eligible data breach under the NDB scheme.
• Notify the AIC and the NDB team, if necessary.

• Fully investigate the cause of the breach, including the systems, processes and procedures involved.
• Implement a strategy to identify and address any weaknesses in OAIC data handling.
• Conduct a post-breach review and report to OAIC Executive on outcomes and recommendations.