The DBN Guide provides general guidance about what data breaches
are, how they occur and how they should be responded to. The new
draft Guide aims to further ensure that businesses are taking
preparatory steps now to mitigate the effects of a data breach, if
While the draft Guide is not legally binding, it represents the
OAIC's view on what should be considered in the development of
a data breach response plan and may assist businesses to meet both
obligations under the Privacy Act 1988 (Cth) and customer
expectations. In particular, it may help you comply with Australian
Privacy Principle 11 (APP 11), which requires reasonable steps be
taken to protect personal information. Depending on the type of
business, establishing and maintaining an effective data breach
response plan may be an important part of the framework that
addresses APP 11.
This draft Guide may also assist businesses to prepare for
mandatory breach reporting requirements should they be introduced.
Reporting of breaches should form part of a data breach response
plan where appropriate; the draft Guide includes a link to the
OAIC's to be developed data breach notification form for this
The OAIC has provided a consultation period on the draft Guide,
closing on Friday 27 November 2015.
How a response plan can help
Having a response plan in place enables businesses to respond
quickly and effectively in the event of a breach, which the draft
Guide suggests involves:
identifying a data breach;
containing the breach and making a preliminary assessment;
notifying internal stakeholders and determining
appropriate escalation, including to a response team;
evaluating the risks for individuals associated with the
recording the breaches; and
reviewing the incident and taking steps to prevent further
Having a response team will ensure that the right people are
involved and that roles and responsibilities are identified and
documented before the data breach occurs. This is an important part
of minimising the impact of the breach as it can allow businesses
to respond more quickly and effectively by immediately focusing on
responding to the issue rather than first having to assemble the
The composition of a team will depend on the business, the
response plan and the nature of the breach. The draft Guide
suggests that the following roles should be considered:
a team leader;
a project manager;
a senior member of staff that has privacy accountability or a
The release of this consultation draft Guide is an opportunity
to review your privacy framework and consider the
OAIC's views on data breach response plans.
While still in draft, the Guide and the appendix checklist to
the Guide can be used to assess existing response plans. This
checklist is a useful tool to quickly check that a plan covers all
the key areas.
Finally, you should review the final Guide when released by the
OAIC following the consultation period.
Clayton Utz communications are intended to provide
commentary and general information. They should not be relied upon
as legal advice. Formal legal advice should be sought in particular
transactions or on matters of interest arising from this bulletin.
Persons listed may not be admitted in all states and
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Privacy issues require a considered strategy where sets of big data come with ever-increasing regulatory obligations.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).