The Australian Privacy Commissioner, Karen Curtis, has released a guide to help businesses, agencies and non-government organisations prevent and respond to a data breach.
“Under the Privacy Act, organisations must take reasonable steps to prevent a malicious or unintentional loss of personal information they hold,” Curtis said.
“Prevention is always better than the cure. However, in the event that a breach does occur, the guide will provide clear steps that can be taken to minimise the impact of the breach on those individuals affected by it.”
Curtis said the Guide to Handling Personal Information Security Breaches was developed after extensive consultation with stakeholders. It includes four key steps to consider when responding to a breach:
1: Contain the breach and do a preliminary assessment
2: Evaluate the risks associated with the breach
3: Consider notification
4: Prevent future breaches.
The guide suggests that individuals affected by a breach should be notified where it creates a real risk of harm, and incorporates examples to help define the circumstances that would make notification the correct response.
“While the guide is voluntary, it represents good practice in handling breaches and I would urge all organisations and agencies to read it and consider its use,” Curtis said.
The operation of the guide could inform the Federal Government’s response to the Australian Law Reform Commission’s recommendation this month that mandatory breach notification be made law.
The guide is available at www.privacy.gov.au/publications/breach_guide.pdf.