Roles and responsibilities of staff
To understand when a suspected breach is encountered and what is the initial procedure before escalating further to the response team?
Your plan should outline the responsibilities of staff members when there is a data breach, or a suspected data breach.
- State the factors when it is time to escalate to the response team?
- In smaller entities it may not be necessary to include steps related to escalating the data breach to the response team, as this may be an automatic process.
- Whether there is a risk of serious harm to affected individuals now or in the future?
- Whether the data breach or suspected data breach may indicate a systemic problem with your entity’s practices or procedures other issues relevant to your circumstances, such as the value of the data to you or issues of reputational risk?
- Who is responsible for deciding whether the breach should be escalated to the response team?
- It is important that the response team has the authority to take the steps outlined in the response plan without needing to seek permission, as this will enable a faster response to the breach.
Response Team – Membership
- Who is in your data breach response team will depend on the circumstances of your entity and the nature of the breach.
- You should identify the types of expertise you may need and ensure that this expertise will be available on short notice.
- You should keep a current list of response team members and clearly detail their roles, responsibilities, and authorities, as well as their contact details.
- When and how the response team could practice a response to a breach in order to test procedures and refine them.
- Whether your plan for dealing with personal information data breaches could link into or be incorporated into already existing processes, such as a disaster recovery plan, a cyber security/ICT incident response plan?
- Any reporting obligations under laws other than the Privacy Act or to other entities.
- Whether you have an insurance policy for data breaches that includes steps you must follow.
Your plan should consider how your entity will record data breach incidents, including those that are not escalated to the response team. This will assist you in ensuring you have documentation of how your entity has met regulatory requirements.
- You may also want to include potential examples of a data breach which are tailored to reflect your business activities.
- List potential strategies for containing and remediating data breaches. include the actions your staff, and your response team, will take in the event of a data breach or a suspected data breach.
|Information to be included||Yes/No||Comments|
|What a data breach is and how staff can identify one|
|Clear escalation procedures and reporting lines for suspected data breaches|
|Members of the data breach response team, including roles, reporting lines and responsibilities|
|Details of any external expertise that should be engaged in particular circumstances|
|How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions|
|An approach for conducting assessments|
|Processes that outline when and how individuals are notified|
|Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted|
|Processes for responding to incidents that involve another entity|
|A record-keeping policy to ensure that breaches are documented|
|Requirements under agreements with third parties such as insurance policies or service agreements|
|A strategy identifying and addressing any weaknesses in data handling that contributed to the breach|
|Regular reviewing and testing of the plan|
|A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan|