Mandatory Data Breach Reporting – What you need to start doing right now

We recommend you ensure that your data breach incident response process is updated to include steps to:

  • Identify if an eligible data breach has occurred
  • Investigate a suspected security incidents to determine if an eligible data breach has occurred so that it can be reported
  • Assess the risk of serious harm to affected individuals if personal information is disclosed or lost
  • Notify affected individuals and the OAIC
  • Review any contracts with third parties who hold personal information on behalf of the entity and ensure that adequate contractual provisions are in place to manage compliance with the notification regime

Your plan should be updated and then tested to make sure that it is effective, works as intended and everybody that is part of the plan is aware of their roles and responsibilities.

The introduction of the new legislation is a good opportunity to assess and measure your compliance with the Privacy Act provisions.

Wayne Tufek is currently a Director of CyberRisk (www.cyber-risk.com.au). For over 20 years he has formulated pragmatic, business driven strategies to establish, execute and improve cyber risk management in ASX listed companies and some of Australia’s largest organisations across the public sector, Big 4, financial services, consumer products, education and retail sectors. Wayne is a member of Chartered Accountants Australia and New Zealand and holds the SABSA SCF, CISSP, CRISC, CISM, CISA and ISO/IEC 27001 Lead Implementer qualifications. He is frequently asked to present at security conferences and events in Australia and internationally including the ACSC Conference, RSA APJ and CeBit.

Tags notification lawsend point securityOffice of the Australian Information Commissioner (OAIC)breach notificationprivacy policycommissionerPrivacy Act 1988CyberRiskWayne Tufekserious data breachMandatory Data Breach Reportingeligible data breachNotifiable Data Breaches

Show Comments