Subscribe for latest updates
Unsubscribe anytime.
This Data Breach Response Plan (Response Plan) sets out the procedure to be followed by staff within the 3 Moments Group of Companies (“3 Moments Group”) in the event we experience a data breach, or suspect that a data breach has occurred.
Privacy is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“privacy legislation”).
3 Moments Group will be required to provide notice as soon as practicable to the Office of the Australian Information Commissioner (“OAIC”) and affected individuals where there are reasonable grounds to believe that an “eligible data breach” has occurred.
A data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, giving the information to the wrong person).
“Personal information”, which is any information that allows an individual to be personally identified.
An eligible data breach will arise where a “reasonable person” would conclude that there is a likely risk of “serious harm” to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure. Although serious harm is not defined, it is likely to include serious physical, psychological, emotional, economic and financial harm, and even serious harm to reputation.
Serious harm will be likely if the harm is “more probable than not” having regard to a list of relevant matters set out in the privacy legislation. These matters include the sensitivity of the information, any security measures taken, such as encryption, and how easily those security measures could be overcome. 3 Moments Group is then obliged to:
(a) Prepare a statement containing certain prescribed information about the data breach and provide it to the OAIC; and
(b) Take steps to notify the affected individuals.
The steps required will depend upon the circumstances, however will usually include sending the statement to the individual via usual means of communication (this is, what is usual between the 3 Moments Group and the individual).
If 3 Moments Group has reasonable grounds to suspect an eligible data breach has occurred, then 3 Moments will be required to complete a “reasonable and expeditious” assessment into the relevant circumstances within 30 days.
Adherence with this Response Plan will ensure the 3 Moments Group can contain, assess and respond to data breaches in a timely fashion in order to mitigate potential harm to affected persons. This plan:
(a) Sets out the roles and responsibilities of staff;
(b) Sets out the contact details of appropriate staff in the event of a data breach; and
(c) Outlines the procedure to be followed in the event of a data breach.
If a 3 Moments Group Staff member becomes aware of a suspected privacy data breach, the 3 Moments Staff Member must immediately:
(a) Notify senior management of the suspected data breach.
(b) Record and advise senior management of the time and date the suspected breach was discovered, the type of information involved, the cause and extent of the breach, and the context of the affected information and the breach.
Senior management must then assess and determine whether a data breach has occurred.
If senior management has any suspicion that a breach has occurred, the director must immediately notify 3 Moments Group managing director.
Where a minor breach is dealt with, the following details must be recorded:
(a) Description of the breach or suspected breach;
(b) Action taken by the director or 3 Moments Group staff member to address the breach or suspected breach;
(c) Outcome of that action;
(d) Sign off from senior management that no further action is required; and
(e) Confirmation that the incident has been recorded in the 3 Moments Group Data breach incident log.
If the breach is serious, it must immediately be escalated to the managing director.
Once a matter has been escalated to the managing director, the process outlined below must be followed.
Each breach will need to be dealt with on a case-by-case basis, undertaking an assessment of the risks involved and using that risk assessment as the basis for deciding what actions to take in the circumstances.
There are four key steps to consider when responding to a breach or suspected breach.
1 | Containment & Assessment | (a) Take immediate steps to contain the breach
(b) Designate person/team to coordinate response |
2 | Evaluation of Risks | (a) Evaluate the risks for individuals associated with the breach
(b) What personal information is involved? (c) Establish cause and extent of the breach (d) Identify what is the risk of harm |
3 | Consider Notification | (a) Risk analysis on a case by case basis
(b) Should affected individuals and/or others be notified? |
4 | Review & Re-evaluate | (a) Review the incident and take steps to prevent further breaches
(b) Fully investigate the cause of the breach (c) Consider developing a prevention plan (d) Option of audit to ensure plan implemented (e) Update security/response plan (f) Update policies, procedures and training, if required |
Generally, steps 1-3 should be carried out concurrently or in close succession.
1. Contain the breach
Once a data breach has been identified, action must be taken to immediately contain it. For example, stop the unauthorised practice, recover the records or shut down the system that was breached.
(a) Initiate a preliminary assessment
Move quickly to appoint someone to lead the initial investigation. This person must be suitably qualified and have sufficient authority to conduct the initial investigation.
Generally, this will be the person most suitably qualified to carry out the initial investigation.
In some situations, it will be necessary to assemble a team that includes representatives from appropriate areas of the 3 Moments Group to conduct the preliminary assessment.
The following questions should be addressed when making the preliminary assessment:
2. Evaluate the risks associated with the breach
The following factors are relevant when assessing the risk:
(a) The type of information involved
(b) Establish the cause and extent of the breach
(c) Assess the risk of harm to the affected persons
(d) Assess the risk of other harms
A thorough evaluation of the risks will assist the 3 Moments Group in determining the appropriate course of action to take.
3. Notification
(a) Deciding whether to notify affected individuals or entities
In general, if a data breach creates a real risk of serious harm to a person, the
affected person should be notified.
The key consideration is whether notification is necessary to avoid or mitigate serious harm to an affected person.
The following factors should be considered:
(b) Notification process
In general, notification should occur as soon as reasonably possible. However, in some instances, delay may be necessary.
Notification should be direct – by phone, letter, email or in person, to the affected individuals.
Indirect notification, either by website, posted notices or media should only occur where direct notification could cause further harm, is cost prohibitive or the contact information for affected persons is unknown.
(c) Details to include in the notification
The content of the notification will vary depending on the particular breach and notification method. However, the OAIC recommend that notifications should include the following information:
(d) Other notifications
It may also be appropriate to notify other third parties, such as the OAIC, the police, insurance providers, credit card companies, financial institutions, professional or other regulatory bodies, other internal or external parties who have not already been notified or agencies that have a direct relationship with the information lost/stolen.
4. Prevent future breaches.
Once immediate steps have been taken to mitigate the risks associated with a breach, 3 Moments Group managing director must take the time to investigate the cause of the breach.
The 3 Moments Group managing director must be briefed on the outcome of the investigation, including recommendations: