Category Archives: Australia

OAIC Guide: Developing a Data Breach Response Plan

The Office of Australian Information Commissioner has developed a draft Guide to Developing a Data Breach Response Plan.   The Commissioner notes that the cost to an organisation for a data breach can be significant and implementing a data breach response plan can assist in mitigating these costs.

The data breach response plan should cover things like:

  • a strategy for assessing and containing data breaches – this includes the actions the response team should take in the event of a breach or suspected breach,
  • a clear explanation of what constitutes a data breach, so that staff are able to identify one should a breach occur,
  • the reporting line if staff do suspect a data breach, including who needs to be informed immediately,
  • who is responsible for determining which other external stakeholders should be contacted (for example, law enforcement agencies, regulators and the media),
  • recording data breaches – the organisation should consider how to record data breaches, including those that are not referred to the response team, and
  • a strategy to identify and address any weaknesses in data handling that contributed to the breach.

While the Guide is not legally binding, the Commissioner has indicated that the preparation and implementation of a data breach response plan will likely to satisfy an organisation’s obligation under the Australian Privacy Act to take reasonable steps to protect the personal information that the entity hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.

The closing date for comments is Friday 27 November 2015.

Link (OAIC): Guide to Developing a Data Breach Response Plan

Early info on TPP’s electronic commerce chapter

The new Trans-Pacific Partnership was signed last week, and includes a chapter on electronic commerce.  The full details of the agreement are not yet available, but New Zealand’s Ministry of Foreign Affairs and Trade (MFAT) has released a summary.

The chapter on electronic commerce promises to be of particular interest to privacy and data protection practitioners.  In its summary of chapter 14, MFAT states:

“TPP Parties commit to ensuring free flow of the global information and data that drives the Internet and the digital economy, subject to legitimate public policy objectives such as personal information protection.  The 12 Parties also agree not to require that TPP companies build data centres to store data as a condition for operating in a TPP market, and, in addition, that source code of software is not required to be transferred or accessed.”

Link: TPP Ministerial Summary (MFAT)

More data breaches in Australia and the US

In Australia, Kmart has engaged IT forensic investigators after personal details of its online customers were hacked.  Kmart says no customer credit card details have been compromised.  However, customers’ names, email addresses, home addresses, telephone numbers, and product purchase details were accessed in an “external privacy breach” early last month.  Kmart has also contacted the Australian Privacy Commissioner and Federal Policy to help with the investigation.

In the US, Experian, one of the largest data brokers and credit agencies in the world, has also been hacked.  Information from the hack includes names, addresses, and social security, driver’s license and passport numbers.  The licence and passport numbers were in an encrypted field, but Experian says that encryption may also have been compromised.

Link: Kmart (Sydney Morning Herald) and Experian (The Guardian)

Office of the Australian Information Commissioner updates guidance

The Office of the Australian Information Commissioner has released a new Privacy Management Framework and a check list to help organisations comply with the Australian Privacy Principles. The guidance outlines four ‘e’ steps to ensure good privacy governance:

  • embed leadership and governance arrangements to create a culture of privacy that values personal information
  • establish robust and effective privacy processes (e.g. training staff on their privacy obligations and developing a data breach response plan)
  • evaluate the adequacy and currency of the business’s existing privacy practices (e.g. by creating feedback channels for staff and customers), and
  • enhance (e.g. by commissioning an independent review to identify areas for improvement).

Among the tips on the check list are:

  • always consider doing a privacy impact assessment when developing a project that involves new or changed personal information handling practices
  • collect only the information you need
  • make that information accessible internally on a needs-to-know basis, and
  • have a data breach response plan ready to go.

The new tools followed the release by the Australian Information Commissioner of a survey into the adequacy of the on-line privacy policies of 20 Australian and international organisations within the finance, retail, government and media sectors.

The policies were evaluated against the requirements of Australian Privacy Principle One (APP1), which requires entities to have a privacy policy that is clearly expressed and up-to-date. The Commissioner found that 55% of those surveyed did not meet one or more of the content requirements under APP1.

Links: Privacy management framework and Ten tips to protect your customers’ personal information

Singtel Optus – enforceable undertaking following privacy breaches

Singtel Optus has agreed with the Australian Privacy Commissioner on an independent audit of its internal privacy practices after a flaw was detected in its security system, and it accidentally posted private information about 122,000 customers on an online directory without consent.

Link: Enforceable undertaking by Singtel Optus

ASIC on cyber resilience

The Australian Securities and Investments Commission (ASIC) has released a report to assist the Australian financial sector to improve cyber resilience. Suggested ‘health check prompts’ to cyber-risk management include:

  • whether the board and senior management are aware of the entity’s cyber risks
  • whether key third-party providers or clients are cyber resilient, and
  • whether employees and contractors are properly trained to deal with cyber risk.

Link: Asic Report