Proximity

Time and money—the real cost of data breach, how best to avoid a breach and how to respond

Insight

Legal

Scroll down

Authors

Published

21/02/2023

Best practice to avoid a data breach

The protections in the Privacy Act alone can’t prevent a data breach occurring. Entities must take active steps to manage personal information and guard against a data breach occurring.

Having a Privacy Management Plan (PMP) is one of the most effective risk management strategies. A PMP describes the measures an entity will take to ensure compliance with privacy obligations and identifies specific, measurable goals and targets.

The privacy maturity of the entity should be assessed in the PMP. This can then be used to establish a scalable, risk-based approach and set benchmarks that are assessed on a regular (generally annual) basis. The maturity assessment assists an entity determine how well it has implemented its privacy program to date and will flag any gaps or opportunities. Privacy maturity gaps are red flags for potential compliance issues and whether the entity’s privacy policy and notices are adequate.

The next steps in the PMP typically involve setting compliance actions to address compliance gaps and actions to improve privacy maturity. These actions should be reviewed once the PMP has been implemented to see how well the entity has delivered against its PMP.

To manage privacy risks on an ongoing basis, privacy threshold assessments (PTA) should be conducted for all projects involving personal information to determine the potential privacy impacts.

A PTA will indicate if there is a high privacy risk. In these cases, entities should conduct a Privacy Impact Assessment (PIA) for the project. A PIA is a systematic assessment of the project with reference to the Australian Privacy Principles that:

  • describes the personal information flows in a proposal
  • analyses the possible privacy impacts of those flows
  • assesses the impact the project may have on the privacy of individuals
  • explains how those impacts will be eliminated or minimised.

If a data breach occurs, what happens next?

In response to a data breach, an entity should follow these four key steps:

  • Contain the breach—immediately
  • Assess the breach to identify and mitigate risk—as a priority
  • Notify affected individuals—as soon as possible
  • Review and adapt to learn and improve practices—as soon as the dust has settled.

Notification considerations

The main objective of the Notifiable Data Breach Scheme in the Privacy Act is to ensure that individuals (and the Information Commissioner) are notified of serious data breaches.

If the Scheme applies, an entity must notify affected individuals of the breach and identify mechanisms that they can take to manage the consequences of the data breach. This may include advice about:

Mechanisms to limit the possible consequences, such as applying for a Commonwealth Victim’s Certificate (used to re-establish the person’s credentials or help explain fraudulent transactions)

Support organisations such as IDCARE (a not-for-profit support service for victims of identity crime which provides support in the form of counselling and assistance in recovering lost funds and identity credentials)

Sources of information that will provide information on how the consequences of a data breach might be managed, such as the eSafety Commission, the OAIC and so on.

However, there may be circumstances where it may not be in the best interest of the individual to be informed of the breach (such as where notification could cause undue stress or harm to the affected individual). In such circumstances, entities should seek the advice of the Information Commissioner, as it is the Commissioner who must decide if individuals should not be advised of the breach.

The widespread and critical commentary about a perceived failure on the part of Optus and Medibank to keep individuals informed demonstrates the potential pitfalls for communications about data breach. This also demonstrates the importance of ongoing communication and the need to adapt the communication strategy as the matter evolves.

References

Discover the Pulse, our publication of insights and tips for you to consider and implement in your workplace.

Stay up to date with Insights, Events and News.

You might also be interested in