Financial Crime World

Managing Data Breaches at the Australian Office of the Information Commissioner (OAIC)

Overview

This comprehensive plan outlines procedures for responding to data breaches, containing the breach, assessing risks, considering breach notification, convening a response team, reviewing the incident, and taking action to prevent future breaches.

Identifying the Breach

  • Record the time and date of discovery: Document the exact time and date when the breach was discovered to track progress and take corrective actions.
  • Determine the type of personal information involved: Identify the specific types of personal information affected by the breach, such as names, addresses, or financial details.
  • Understand the context of the affected information and the breach: Gather background information on how the breach occurred, including any relevant systems, processes, or human errors.

Containing the Breach

  • Co-ordinate action to contain the data breach: Collaborate with relevant teams and stakeholders to stop the breach from spreading further.
  • Notify the Chief Privacy Officer about the data breach: Inform the Chief Privacy Officer as soon as possible to ensure they are aware of the situation and can provide guidance.

Assessing Risks for Individuals

  • Conduct an initial investigation to establish the cause and extent of the breach: Gather more information on what happened, including how it occurred and who was affected.
  • Assess priorities and risks based on what is known: Evaluate the potential impact on individuals and determine the level of risk involved.
  • Keep appropriate records of the suspected breach, including any action taken: Document all actions taken during the response process to ensure transparency and accountability.

Considering Breach Notification and Convening Response Team

  • Determine who needs to be made aware of the breach at this preliminary stage: Identify key stakeholders who should be informed about the breach, such as management or regulatory bodies.
  • Determine whether and how to notify affected individuals: Decide on the best approach for notifying individuals whose personal information has been compromised.
  • Determine whether to escalate the data breach to the response team: If necessary, convene a response team to handle the situation more effectively.
  • Convene the response team, if necessary: Assemble a team of experts to respond to the breach and take corrective actions.
  • Determine whether the breach is an eligible data breach under the Notifiable Data Breach (NDB) scheme: Check if the breach meets the criteria for notification under the NDB scheme.

Reviewing Incident and Taking Action to Prevent Future Breaches

  • Fully investigate the cause of the breach: Conduct a thorough investigation to identify the root causes and contributing factors.
  • Implement a strategy to identify and address any weaknesses in OAIC data handling: Develop strategies to strengthen data security, including improving systems, processes, or staff training.
  • Conduct a post-breach review and report to OAIC Executive on outcomes and recommendations: Document lessons learned and provide recommendations for improvement to prevent similar breaches in the future.