Hot off the press: Key takeaways from the OAIC's Data breach preparation and response guide

In brief

On Tuesday, 20 February 2018, the Office of the Australian Information Commissioner (OAIC) published a comprehensive new guide to the Notifiable Data Breaches (NDB) Scheme.

The Data breach preparation and response guide consolidates information from the OAIC's Data breach notification – A guide to handling personal information security breaches released in 2014, the Guide to developing a data breach response plan released in 2016 and the resources published at the end of 2017 to assist entities to comply with the NDB Scheme.

To save you the detailed read (which we recommend you take the time to do when you can!), we've set out a quick overview of each of the five sections of the guide and the highlights from each.

• Part 1 – Data Breaches and the Australian Privacy Act: This introductory section provides a high-level introduction to the Australian Privacy Principles (the APPs), the NDB Scheme and the Privacy Act 1988 (Cth). A great refresher for those who need to brush up on the basics.
• Part 2 – Preparing a data breach response plan: This section provides detailed guidance on how to prepare your data breach response plan, drawing on the 2016 guide and integrating the new NDB Scheme obligations. Our article Your data breach response plan should… sets out the key features your plan should have based on the OAIC's guidance. Other highlights from this section include:
  • A recommendation that organisations have a 'data breach response team' that is responsible for carrying out their plan.
  • The OAIC has again flagged that having a data breach response plan can be one of the reasonable steps that go towards meeting your obligations under APP 11 to keep personal information secure.
  • An emphasis on regularly reviewing and testing your plan and practising your response – this means war games, hypotheticals and scenario testing.
  • If you have cyber insurance or another insurance policy that covers data breaches, the OAIC recommends consulting with your insurer when setting up your data breach response team and considering whether they have a pre-established panel of external providers you can include on your team.
  • A quick checklist to confirm that your data breach response plan addresses relevant issues.
• Part 3 – Responding to data breaches – four key steps: Much like its 2014 guidance, the OAIC sets out four key steps to responding to a data breach – Contain, Assess, Notify and Review. Importantly, these steps now integrate the notification obligations under the NDB Scheme. Highlights from this section include:
  • A helpful one-page flow chart on how to respond to a data breach – you may want to consider adapting and incorporating a decision tree of this kind into your data breach response plan to assist quick but considered decision making.
  • The OAIC flags that you should consider your other notification obligations, for example, under the EU General Data Protection Regulation. See item 5 in our article Five things you didn't know about the NDB Scheme for more on other notification obligations that might be relevant to you.
  • Although the notification obligations under the NDB Scheme are in focus, the OAIC suggests that entities should consider when individuals should be notified where the NDB Scheme does not apply. Again, see item 5 in our article Five things you didn't know about the NDB Scheme for more on this.
• Part 4 – Notifiable Data Breach (NDB) Scheme: This section consolidates the resources published at the end of 2017 into the one document. We won't go into too much detail on these as we have covered their contents in this edition and earlier editions of Pulse. In particular, see Double trouble: how to handle a data breach involving more than one organisation, How to determine whether you have suffered an eligible data breach, and Your guide to notifying an eligible data breach in this edition.
• Part 5 – Other sources of information: The final section of the OAIC's guide contains a helpful list of:
  • other organisations who may be able to provide assistance in the event of a data breach, for example, the Australian Cyber Security Centre and Computer Emergency Response Team (CERT) Australia; and
  • other cyber security resources and standards that may help to prepare for and respond to data breaches, for example, the International Organisation for Standardization (ISO) and Standards Australia's information security management standards and the USA's National Institute of Standards and Technology (NIST) frameworks.