The OAIC’s established publication, Data breach notification — A guide to handling personal information security breaches (DBN guide) focuses on the steps an agency or organisation can take after a data breach involving personal information occurs. It also encourages agencies and organisations to proactively put in place a data breach response plan.
The OAIC is now consulting on a draft Guide to developing a data breach response plan (draft guide). The purpose of the draft guide is to give more information on the steps agencies and organisations can take up front to make sure they have the right people and systems in place to be ready to manage a data breach.
Guide to developing a data breach response plan
The draft guide is aimed at helping agencies and organisations that handle personal information and are covered by the Privacy Act to develop a data breach response plan. State and territory government agencies, as well as private sector entities not covered by the Privacy Act, may also find the draft guide helpful in outlining good privacy practice.
A data breach response plan is a framework which sets out the roles and responsibilities for managing an appropriate response to a data breach. This includes:
- the actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the response team
- the members of the data breach response team
- the actions the response team is expected to take.
The guide emphasises that an entity’s actions immediately following the discovery of a breach are often crucial to the success of a response and that quick responses can substantially decrease the impact on the affected individuals.
How to make comments
The OAIC invites your comments on the draft guide.
The closing date for comment is Friday 27 November 2015.
Submissions can be made to firstname.lastname@example.org or GPO Box 5218 Sydney NSW 2001.
While submissions may be lodged electronically or by post, electronic lodgement is preferred. It would also be appreciated if your submission could be provided to us in a web accessible format or, alternatively, in a format that would allow the OAIC to easily convert to HTML code eg: Rich Text Format (.rtf) or Microsoft Word (.doc).
To assist you in preparing comments for this consultation, the OAIC has prepared the questions below which are intended to stimulate comments and reflections on the draft guide. They are not intended to confine the issues that may be raised. You may wish to respond to some or even all questions, or to raise other issues related to the draft guide.
- Is the draft guide helpful and easy to read?
- Does the draft guide provide adequate assistance for entities to develop a data breach response plan?
- Does the draft guide accurately and appropriately complement the OAIC’s DBN Guide? When the DBN guide is next updated, the OAIC is considering incorporating the draft guide into the DBN Guide. Is there merit in keeping the draft guide as a stand-alone document or should the OAIC incorporate the draft guide into a revised version of the DBN guide?
- Are there any other ways in which the draft guide could be enhanced?
Privacy collection statement
The OAIC will use the personal information it collects in the course of this consultation only for the purpose of considering and dealing with submissions.
- Department of Defence34.74 KB
- Department of Social Services65.8 KB
- Attorney-General’s Department77.28 KB
- Telstra40.1 KB
- AIG Australia74.54 KB
- Australian Retail Credit Association63.07 KB
- Confidential submission
- The Royal Australian College of General Practitioners107.03 KB
- Department of Communications60.44 KB
- Department of Finance96.16 KB
- Australian Dental Association231.06 KB
- HWL Ebsworth Lawyers14.68 KB
- Law Council of Australia307.03 KB
- National Archives of Australia49.41 KB