Roles and responsibilities of staff
To understand when a suspected breach is encountered and what is the initial procedure before escalating further to the response team?
Your plan should outline the responsibilities of staff members when there is a data breach, or a suspected data breach.
- State the factors when it is time to escalate to the response team?
- In smaller entities it may not be necessary to include steps related to escalating the data breach to the response team, as this may be an automatic process.
- Whether there is a risk of serious harm to affected individuals now or in the future?
- Whether the data breach or suspected data breach may indicate a systemic problem with your entity’s practices or procedures other issues relevant to your circumstances, such as the value of the data to you or issues of reputational risk?
- Who is responsible for deciding whether the breach should be escalated to the response team?
- It is important that the response team has the authority to take the steps outlined in the response plan without needing to seek permission, as this will enable a faster response to the breach.
Response Team – Membership
- Who is in your data breach response team will depend on the circumstances of your entity and the nature of the breach.
- You should identify the types of expertise you may need and ensure that this expertise will be available on short notice.
- You should keep a current list of response team members and clearly detail their roles, responsibilities, and authorities, as well as their contact details.
- When and how the response team could practice a response to a breach in order to test procedures and refine them.
- Whether your plan for dealing with personal information data breaches could link into or be incorporated into already existing processes, such as a disaster recovery plan, a cyber security/ICT incident response plan?
- Any reporting obligations under laws other than the Privacy Act or to other entities.
- Whether you have an insurance policy for data breaches that includes steps you must follow.
Your plan should consider how your entity will record data breach incidents, including those that are not escalated to the response team. This will assist you in ensuring you have documentation of how your entity has met regulatory requirements.
- You may also want to include potential examples of a data breach which are tailored to reflect your business activities.
- List potential strategies for containing and remediating data breaches. include the actions your staff, and your response team, will take in the event of a data breach or a suspected data breach.