Privacy incident response plan

An incident response plan should be in a format that is easy to read and easy to follow. An incident response plan needs include details but also needs to be flexible so it can be applied to different incidents.

It’s recommended that a range of business groups contribute to the completion of the incident response plan, including:

• information security
• risk and assurance
• ICT
• communications
• legal
• service delivery/operations
• senior leadership team.

To ensure effective leadership and governance, the incident response plan should be reviewed and approved by the senior leadership team.

It’s important that an incident response plan clearly sets out the roles and responsibilities of those involved in the incident response. These roles and responsibilities will vary from agency to agency. 

The incident response plan should clarify the responsibilities between the Chief Security Office (CSO), Chief Information Officer (CIO), and Chief Privacy Officer (CPO), depending on the nature of the incident. A security breach of unauthorised access may need to be managed differently than a privacy breach of accidental disclosure.

The plan should also clarify who will be responsible for assessing if the breach reaches the level of serious harm and requires notification to the Office of the Privacy Commissioner, including who will input information into their online breach reporting tool NotifyUs.

Roles and responsibilities of groups involved in a privacy incident response.

In the event of an incident or breach, it’s important to understand who is responsible for contacting whom to ensure the incident response progresses effectively and in a timely manner. A communication tree is a useful tool for gathering and collating this information.

A communication tree should include contact information for:

• key individuals involved in incident response
• staff
• third party providers
• companies and agencies who can assist with the response
• Office of the Privacy Commissioner
• Government Chief Privacy Officer.

The communication tree should be regularly updated and tested to ensure it operates effectively.

Once a privacy breach is discovered it needs to be contained and assessed immediately.

Questions to ask:

• Is the first step of your plan to contain the breach as soon as it has been identified?
• Does your plan have clear instructions regarding who staff should contact to conduct an initial investigation and make containment recommendations?
• Is it clear within your plan when to escalate the incident and invoke the response plan?
• Does your plan clearly set out who needs to be informed in the event of an incident and when the incident needs to be reported to the Police?
• Does your plan advise the individuals responding to the incident to be careful not to destroy any evidence?

Once the privacy breach has been contained, an agency will need to assess the risks associated with the breach.

Questions to ask:

• Does your plan include a process for evaluating the risks associated with the privacy breach?
• Does your plan include, or link to, a risk matrix so you can understand the possible consequences and the likelihood of each risk occurring?
• Does your plan include severity ratings and escalation triggers?

The following questions may assist with evaluating the risk:

• Have you identified the types of personal information involved?
• Do you know what the personal information might reveal?
• Do you know whether the personal information is easy to access?
• Have you established the cause of the breach?
• Do you know the extent of the breach?
• Have you identified potential harms resulting from the breach?
• Do you know who holds the information now?

It’s important for an agency to be open and transparent with individuals about how it’s handling their personal information.

In the event of a privacy breach, an agency needs to consider each incident on a case-by-case basis whether to notify affected individuals or not. If there is a risk of harm, an agency should usually notify them, allowing them to take steps to protect themselves and regain control of their information as soon as possible.

If an agency has a privacy breach that’s likely to cause anyone serious harm, it’s legally required to notify OPC and any affected persons as soon as practicable.

Office of the Privacy Commissioner — Reporting privacy breaches (NotifyUs)

Questions to ask:

• Does your plan include a process for establishing whether you should notify affected individuals and/or the OPC? Each incident needs to be considered on a case-by-case basis, but factors to consider include:
  • the risk of harm to people affected
  • whether there’s a risk of identity theft or fraud
  • whether there’s there a risk of physical harm
  • whether there’s a risk of humiliation, loss of dignity, or damage to the person’s reputation or relationships (for example; if the lost information includes mental health, medical, or disciplinary records).
  • what affected people can do to avoid or minimise possible harm, for example, change a password
  • whether you have any legal or contractual obligations
• Does your plan account for the mandatory breach notification provisions included in the Privacy Act? 
• Does your plan include a process for how you will notify individuals (for example, by phone, letter, or email)?
• Does your plan set out the high-level content that needs to be included in the breach notification?
• Does your plan provide a process for engaging with third parties (for example, Police, insurers, relevant minister(s))?
• Does your plan include a communications plan that includes how to manage media and public enquiries?

Following a privacy breach, an agency should take the time to investigate the cause of the breach and update their processes and practices where appropriate.

Questions to ask:

• Does your plan include a process for subsequently reviewing the causes of the breach? This may include a:
  • security audit of both physical and technical security
  • review of your collection, storage, retention and disposal of personal information practices
  • review of policies and procedures
  • review of employee training practices
  • review of any third party providers involved in the breach.