With mere weeks to go before the Notifiable Data Breaches Scheme is in action, organisations have to be equipped to respond to and report data breaches. Here is how to inform affected parties and the Commissioner if a suspected data breach occurs.
We’ve covered what constitutes a breach in a previous post (click here for that), so here is what to do once you have detected a breach.
There are two main parties to notify when you suspect a data breach has occurred – the individuals affected, and the Commissioner.
Informing individuals
When it comes to individuals, an organisation can choose to either inform everybody whose personal information was part of a data breach, or just those in serious harm. Depending of course on the size of your organisation and the means to contact individuals, you can choose any medium to inform affected individuals, whether by phone call, SMS, physical mail, social media or in-person.
Each notification can be tailored for the individuals, but must include the following:
a) the identity and contact details of the entity
b) a description of the eligible data breach that the entity has reasonable grounds to believe has happened
c) the type of information at risk
d) recommendations for individuals to take in response to the data breach.
Informing the Commissioner
As for the Commissioner, there is an online form to fill out and submit. This from can also be used as a secondary means of informing individuals, by publishing the submitted form online, It is important for organisations to inform parties and the Commissioner as soon as practicable, to avoid heavy fines. The timing of a notification can be relevant in the Commissioner’s decision process, and late notifications can also result in fines.
For more information on the Notifiable Data Breaches Scheme, visit the Office of the Australian Information Commissioner website.