Data Breach Response Plan
This policy sets out the steps to be taken by staff members if BUMP experiences a data breach (or suspects that a data breach has occurred.
- The actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the data breach response team;
- The members of our data breach response team; and
- The actions the response team is expected to take.
We are committed to the safe keeping of our clients’ and staffs’ personal information. We have policies and processes in place that seek to minimise an accidental, inadvertent or malicious data breach or disclosures to unauthorised parties. Compliance with this Response Plan will ensure that BUMP can contain, assess and respond to data breaches in a timely fashion in order to mitigate potential harm to affected persons.
What is personal information?
Personal information can be generally described as information or an opinion about an identified individual, or an individual who is reasonably identifiable. Examples include name, date of birth, contact details, and bank or payment information.
BUMP collects personal information about its staff and members for the purposes of maintaining accurate employment records and to enable us to provide services to our members. We may also collect ‘sensitive information’ about members (always with their consent), including general health information used to assess their readiness for physical exercise. Sensitive information is a special class of personal information which attracts additional privacy protections compared to other types of personal information.
What it a data breach?
A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse.
Examples of a data breach include when:
(a) a device containing personal information of clients is lost or stolen;
(b) an entity’s database containing personal information is hacked; or
(c) an entity mistakenly provides personal information to the wrong person.
Any data breach (or suspected breach) must be taken seriously. Actions taken in the first 24 hours in responding to a breach (or suspected breach) are crucial.
What are our obligations when a data breach occurs?
A data breach needs to be notified to the relevant regulator and to affected individuals when:
(d) it is likely to result in serious harm to an individual affected by the breach; and
(e) the risk of serious harm cannot be prevented.
A notifiable data breach (otherwise known as an ‘eligible data breach’) can occur irrespective of the number of individuals that are likely to be at risk of serious harm.
A determination of whether a data breach has or may cause serious harm will be dependent upon the following factors:
· the sensitivity of the personal information which has been exposed due to the data breach;
· whether the information is protected by security measures and the likelihood that any such security measures could be overcome;
· who has or may have obtained or could obtain the information; and
· the nature of the harm, for example, whether any affected individuals will suffer financial or reputational damage.
2. Assessing a suspected data breach
The Australian Privacy Act 1988 (Cth) requires an entity to take all reasonable steps to complete the assessment (and notify the Office of the Information Commissioner as required) within 30 calendar days after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach.
If we suspect that an eligible data breach has occurred, we will take the following steps.
(a) We will contain the breach where possible and take remedial action.
(b) We will conduct a reasonable and expeditious assessment of the breach to determine whether notification is required. We will take all reasonable steps to complete our assessment within 30 calendar days after the day we first became aware of the suspected data breach.
(c) Where serious harm cannot be mitigated through remedial action, we will notify individuals at risk of serious harm and provide a statement to the OAIC as soon as practicable, but not later than 30 calendar days from becoming aware of the breach.
If it is not practicable to notify individuals at risk of serious harm, we will publish a copy of the statement prepared for the OAIC on our website, and take reasonable steps to bring its contents to the attention of individuals at risk of serious harm.
2.2 Eligible data breach statement
A statement about an eligible data breach will include the following.
(a) Contact information of areas or personnel within our organisation that can answer questions, provide further information or address specific privacy concerns.
(b) A description of the type of personal information involved in the breach. Personal information will not be included in the notification to avoid possible further unauthorised disclosure. The notice should not include information that would reveal specific system vulnerabilities.
(c) Recommendations about the steps individuals should take in response to the breach.
(d) A description of what we have done to control or reduce the harm, and proposed future steps that are planned.
(e) What we will do to assist individuals and what steps the individual can take to avoid or reduce the risk of harm or to further protect themselves.
(f) Sources of information designed to assist individuals in protecting against identity theft or interferences with privacy.
(g) Whether we have notified the OAIC or other parties.
(h) Information on internal dispute resolution processes and how the individual can make a complaint and that if individuals are not satisfied with our response to resolve the issue, they can make a complaint to the OAIC.
3. Staff responsibilities
If a staff member discovers a data breach or suspected data breach, they must immediately notify the Privacy Officer including as much information as is known regarding:
(a) what the breach is and how it occurred;
(b) who or what the data relates to; and
(c) the time and date that the breach occurred and was discovered.
4. Responding to a suspected data breach
The Privacy Officer will follow four steps when responding to a breach or suspected breach.
(a) Contain the breach and make a preliminary assessment.
(b) Evaluate the risks associated with the breach.
(c) Consider breach notification.
(d) Review the incident and take action to prevent future breaches.
4.2 Preliminary assessment
Upon identifying a suspected data breach, the Privacy Officer will:
(a) convene a meeting of staff who, together with the Privacy Officer, will be tasked with responding to the data breach (the data breach response team);;
(b) immediately contain the breach;
(c) ensure evidence is preserved that may be valuable in determining the cause of the breach and taking appropriate corrective action; and
(d) consider developing a communications or media strategy to manage public expectations and media interest if this is considered appropriate.
4.3 Evaluating risks
After containing the breach, the data breach response team will:
(a) conduct an initial investigation and collect information about the breach promptly, including:
· the date, time, duration and location of the breach;
· the type of personal information involved in the breach;
· how the breach was discovered and by whom;
· the cause and extent of the breach;
· a list of the affected individuals, or possible affected individuals;
· the risk of serious harm to the affected individuals;
· the risk of other harms;
(b) determine whether the context of the information is important;
(c) establish the cause and extent of the breach;
(d) assess priorities and risks based on what we know; and
(e) keep appropriate records of the suspected breach and actions of the response team, including the steps taken to rectify the situation and the decisions made.
After evaluating the data breach, the data breach response team will:
(a) determine who needs to be made aware of the breach (internally and potentially externally);
(b) determine whether to notify affected individuals;
(c) notify the OAIC if it is an eligible data breach; and
(d) consider whether others should be notified, including police/law enforcement or other agencies or organisations affected by the breach.
4.5 Prevent future breaches
The final step is for the data breach response team to fully investigate the cause of the breach.
We will consider whether it is appropriate or necessary to:
(a) make changes to our policies and procedures;
(b) revise our staff training practices; and
(c) update this Response Plan.
5. Privacy Officer
BUMP’s Privacy Officer for the time being is [Ross Lucas].
This Data Breach Response Plan is current as at [4 July] 2020.