Overview: Personal data security breach management

Best practice before a breach occurs

An organisation can seek to prevent or minimise a personal data security breach occurring by implementing an effective organisational data security compliance framework.

An effective organisational data security compliance framework can avoid or minimise the risk of an organisation and individuals within it breaching personal data security obligations.

Such a framework should usually include:

  • regular audits of the organisation’s IT security policies, systems, controls, processes and practices;
  • effective IT security policies, systems, controls, processes and practices;
  • staff training and awareness of data security obligations;
  • a positive and strong compliance culture; and
  • ongoing governance oversight.

An organisation should conduct regular audits of the organisation’s IT security systems, processes, practices and policies.

An organisation should develop and maintain effective IT security policies, systems, controls, processes and practices to prevent or minimise the risk of breach of data security obligations.

Employees should receive regular training on compliance with data security requirements.

The main objective of the training should be to build and maintain a good level of current awareness of how to comply with, and avoid breaching, data security obligations.

Employees of an organisation whose roles involve performing services for the organisation’s customers should be familiar with any contractual obligations that the organisation has to the customer concerning data security requirements.

Organisations should develop and maintain a positive and strong compliance culture in relation to data security obligations.

A positive and strong compliance culture can embed best practice with respect to data security awareness and compliance within the values of an organisation and the values and behaviours of its staff.

An organisation should also implement effective internal governance processes and oversight of data security issues.

Internal governance processes should enable the timely and accurate reporting of data security compliance issues and breaches to relevant internal stakeholders.

See Best practice before a breach occurs.

Responding to a data security breach as it occurs

To determine how to respond to a data security breach involving the personal information of one or more individuals, the organisation should determine:

  • what is the nature of the data security breach;
  • what is/are the cause(s) of the data security breach;
  • who is affected by the data security breach; and
  • what are the potential consequences for the organisation and those affected by the data security breach.

An organisation should have one or more decision-makers (ie a response team) who are responsible for:

  • assessing the nature and cause(s) of a data security breach;
  • identifying who is affected and what the potential consequences are; and
  • deciding upon an appropriate course of action for the organisation in relation to a data security breach.

It is important for an organisation to first identify the nature of a data security breach, to help it determine and plan an appropriate response.

It is also important for an organisation to identify the actual and potential consequence(s) of a data security breach.

This will help the organisation to prepare an appropriate response to the data security breach, including what actions and organisational resources are required to achieve an appropriate response.

Promptly upon becoming aware of a data security breach, an organisation should ensure that key internal stakeholders are:

  • alerted to the occurrence of the data security breach; and
  • given sufficient information in relation to the data security breach as soon as possible to enable them to assess the potential impacts of the occurrence.

An organisation may need to develop a different response depending on whether it is at fault or whether another organisation or person is at fault.

Such response should take into account a range of considerations, including complying with any relevant contracts with affected parties and communications with affected parties.

See Responding to a data security breach as it occurs.

Compliance after a data security breach has occurred

Once an organisation has responded to and resolved a data security breach issue, it should:

  • conduct an internal audit to determine the root cause(s) of the data security breach;
  • determine what remediation measures are required to prevent or minimise the possibility of any recurrence of the data security breach; and
  • implement the necessary remediation measures and monitor their effectiveness.

Consideration should be given to whether offshore data transfers comply with APP 8 and whether an offshore data transfer agreement is required.

See Compliance after a data security breach has occurred.