There is no single way of responding to a personal information security breach. Each breach must be dealt with on its own merits. This will require the business to assess the breach, the risks involved and the possible consequences that may flow from the breach. That assessment must be used to determine what steps the business must take to stop the breach (or stop it from reoccurring), investigate the reasons why the breach occurred, assess the likely damage that has been or may be caused, and what may need to be done to mitigate that damage, including the necessity to notify the Privacy Commissioner and affected individuals of the breach so that they may take steps to limit any possible damage (such as, for example, cancelling credit cards) and in order to comply with the Notifiable Data Breaches Scheme established by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Scheme).

Having said that, however, some general guidance can be given.

At the outset, it is critical that the seriousness of an actual or potential breach is not underestimated. It is important that every person in the business understands that a privacy breach (or possible breach) is a serious matter and that steps must be taken to contain it and assess the situation. Prompt action will stand you in good stead if the matter is the subject of a complaint or investigation by the Office of the Australian Information Commissioner (OAIC).

There are five key steps that a business must consider when faced with a breach or suspected breach of privacy:

• contain the breach;
• undertake a preliminary assessment of the breach;
• evaluate the risks associated with the breach;
• consider notification; and
• take steps to prevent future breaches.

Further details of each of these steps, and how you may implement a response in any particular situation can be found in the OAIC's Data breach preparation and response: A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth). The OAIC has indicated that this resource will be updated prior to the commencement of the Scheme.

The decision on how to respond has to be made having regard to the particular circumstances of the case. In some instances, all of the steps may not be needed, or some steps may be combined. In other cases it may be necessary for the business to take further steps that are specific to the nature of the breach.

A data breach notification (DBN) will be required by an organisation or agency when there is a data breach that is likely to result in serious harm to any individual to whom the information relates. Additionally, there are currently some circumstances that already require organisations and agencies to make a mandatory DBN including under s 75 of the Personally Controlled Electronic Heath Records Act 2012 (PCEHR Act).

What is important is that each business has a planned, documented approach to dealing with actual or potential breaches that incorporates the requirements of the Scheme and can implement that process rapidly if a personal information security breach occurs. This will offer the best chance of not only stopping any further security breaches, and mitigating any potential harm, but will also ensure that the business avoids a complaint to the Office or, if that is not possible, by the time the matter is mediated, the business will have done everything that it could have reasonably been expected to do and so will improve its chances of avoiding any adverse findings and any consequent adverse publicity.

During the period of 1 January to 30 June 2020 the OAIC's Notifiable Data Breaches Quarterly Report recorded a total of 518 notifications of eligible data breaches. This figure is down 3% from 532 in the previous six months, but up 165 on the 447 notifications received during the period January- June 2019.

To read full article Demonstrating compliance with the Australian Privacy Principles (APPs) subscribe to Practical Guidance General Counsel module.