Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Consultation information: Guide to developing a data breach response plan

Under the Privacy Act 1988 (Cth) Australian Government agencies and private sector organisations have obligations to take reasonable steps to protect the personal information that they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. One of those reasonable steps may include the preparation and implementation of a data breach response plan.


The OAIC’s established publication, Data breach notification — A guide to handling personal information security breaches (DBN guide) focuses on the steps an agency or organisation can take after a data breach involving personal information occurs. It also encourages agencies and organisations to proactively put in place a data breach response plan.

The OAIC is now consulting on a draft Guide to developing a data breach response plan (draft guide). The purpose of the draft guide is to give more information on the steps agencies and organisations can take up front to make sure they have the right people and systems in place to be ready to manage a data breach.

Guide to developing a data breach response plan

The draft guide is aimed at helping agencies and organisations that handle personal information and are covered by the Privacy Act to develop a data breach response plan. State and territory government agencies, as well as private sector entities not covered by the Privacy Act, may also find the draft guide helpful in outlining good privacy practice.

A data breach response plan is a framework which sets out the roles and responsibilities for managing an appropriate response to a data breach. This includes:

  • the actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the response team
  • the members of the data breach response team
  • the actions the response team is expected to take.

The guide emphasises that an entity’s actions immediately following the discovery of a breach are often crucial to the success of a response and that quick responses can substantially decrease the impact on the affected individuals.

How to make comments

The OAIC invites your comments on the draft guide.

The closing date for comment is Friday 27 November 2015.

Submissions can be made to or GPO Box 5218 Sydney NSW 2001.

While submissions may be lodged electronically or by post, electronic lodgement is preferred. It would also be appreciated if your submission could be provided to us in a web accessible format or, alternatively, in a format that would allow the OAIC to easily convert to HTML code eg: Rich Text Format (.rtf) or Microsoft Word (.doc).

Stimulus questions

To assist you in preparing comments for this consultation, the OAIC has prepared the questions below which are intended to stimulate comments and reflections on the draft guide. They are not intended to confine the issues that may be raised. You may wish to respond to some or even all questions, or to raise other issues related to the draft guide.

  • Is the draft guide helpful and easy to read?
  • Does the draft guide provide adequate assistance for entities to develop a data breach response plan?
  • Does the draft guide accurately and appropriately complement the OAIC’s DBN Guide? When the DBN guide is next updated, the OAIC is considering incorporating the draft guide into the DBN Guide. Is there merit in keeping the draft guide as a stand-alone document or should the OAIC incorporate the draft guide into a revised version of the DBN guide?
  • Are there any other ways in which the draft guide could be enhanced?

Privacy collection statement

The OAIC will use the personal information it collects in the course of this consultation only for the purpose of considering and dealing with submissions.


  1. pdfDepartment of Defence34.74 KB
  2. pdfDepartment of Social Services65.8 KB
  3. pdfAttorney-General’s Department77.28 KB
  4. pdfTelstra40.1 KB
  5. pdfAIG Australia74.54 KB
  6. pdfAustralian Retail Credit Association63.07 KB
  7. Confidential submission
  8. pdfThe Royal Australian College of General Practitioners107.03 KB
  9. pdfDepartment of Communications60.44 KB
  10. pdfDepartment of Finance96.16 KB
  11. pdfAustralian Dental Association231.06 KB
  12. pdfHWL Ebsworth Lawyers14.68 KB
  13. pdfLaw Council of Australia307.03 KB
  14. pdfNational Archives of Australia49.41 KB