Strong data management is integral to the operation of businesses and government agencies worldwide. Digital platforms and technologies that utilise user data to provide personalised products or services have proliferated across communities and industries. At the same time, data analysis has been widely recognised for its value as fuel for innovation that can benefit the community in unprecedented ways, including identifying gaps in services, revealing needs for new or different products, and enabling better-informed policy-making.
In this environment, the success of an organisation that handles personal information or a project that involves personal information depends on trust. People have to trust that their privacy is protected, and be confident that personal information will be handled in line with their expectations.
As we’ve found in our long-running national community attitudes to privacy survey, if an organisation does not demonstrate a commitment to privacy, people will look for alternative suppliers, products, and services.
One of the biggest risks organisations face in this context is a data breach. A data breach involving personal information can put affected individuals at risk of serious harm and consequently damage an organisation’s reputation as a data custodian.
However, it is important to recognise that consumer and community trust is not necessarily extinguished immediately after a data breach occurs. After all, history has shown us that even organisations with great information security can fall victim to a data breach, due to the rapid evolution of data security threats and the difficulty of removing the risk of human error in large and complex organisations.
When a data breach occurs, a quick and effective response can have a positive impact on people’s perceptions of an organisation’s trustworthiness. That is why being prepared for a data breach is important for all organisations that handle personal information.
By an ‘effective’ response to a data breach, I mean a response that successfully reduces or removes the risk of harm to individuals, and which aligns with legislative requirements and community expectations.
This guide aims to assist you in developing and implementing an effective data breach response. It outlines the requirements relating to data breaches in the Privacy Act 1988 (Cth) (Privacy Act), including personal information security requirements and the mandatory data breach reporting obligations of the Notifiable Data Breaches (NDB) scheme. The guide also covers other key considerations in developing a robust data breach response strategy, including the key steps to take when a breach occurs, the capabilities of staff, and governance processes.
While this guide is primarily for Australian Government agencies and private sector organisations with obligations under the Privacy Act, the information provided is useful to any organisation operating in Australia. Taken holistically, the information provided in this guide provides a framework for meeting expectations for accountability and transparency in data breach prevention and management, which is key to maintaining and building consumer and community trust.
Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner