This Data Breach Response Plan (Response Plan) sets out the procedure to be followed by Swanned Pty Ltd staff in the event that Swanned Pty Ltd experiences a data breach, or suspects that a data breach has occurred.
A data breach occurs when personal information (defined in section 6 of the Privacy Act 1988 (Cth)) is lost or subjected to unauthorised access, modification, use or disclosure or other misuse. Personal information refers to information that identifies or reasonably identifies an individual.
This policy sets out Swanned’s Pty Ltd procedures for managing a data breach, including the considerations around notifying persons whose privacy may be affected by the breach. Effective breach management, including notification where warranted, assists Swanned Pty Ltd in avoiding or reducing possible harm to both the affected individuals/organisations and the Swanned Pty Ltd and may prevent future breaches.
This policy applies to all staff and contractors of Swanned Pty Ltd . This includes temporary and casual staff, private contractors and consultants engaged by the IPC to perform the role of a public official. This policy will apply from the date of effect.
The purpose of this policy is to provide guidance to Swanned Pty Ltd in responding to a breach of Swanned Pty Ltd held data, especially personal information.
Adherence with the Response Plan will ensure Swanned Pty Ltd can contain, assess and respond to data breaches in a timely fashion in order to mitigate potential harm to affected persons.
This plan:
Effective breach management, including notification where warranted, assists Swanned Pty Ltd in avoiding or reducing possible harm to both the affected individuals/organisations and Swanned Pty Ltd and may prevent future breaches.
A data breach
A data breach occurs when there is a failure that has caused or has the potential to cause unauthorised access to Swanned Pty Ltd data, such as:
A data breach most commonly, but not exclusively, results in unauthorised access to, or the unauthorised collection, use, or disclosure of personal information.
Responding to a data breach
There are four key steps required in responding to a data breach:
Each step is set out in further detail below. The first three steps should be carried out concurrently where possible. The last step provides recommendations for longer-term solutions and prevention strategies.
Step 1: Contain the data breach to prevent any further compromise of personal information.
Containing the breach is prioritised by Swanned Pty Ltd. All necessary steps possible must be taken to contain the breach and minimise any resulting damage. For example, attempt to recover the personal information, shut down the system that has been breached, suspend the activity that led to the breach, revoke or change access codes or passwords.
If a third party is in possession of the data and declines to return it, it may be necessary for Swanned Pty Ltd to seek legal or other advice on what action can be taken to recover the data. When recovering data, Swaned will make sure that copies have not been made by a third party or, if they have, that all copies are recovered.
Step 2: Evaluate the data breach by gathering the facts and evaluating the risks
To determine what other steps are needed, an assessment of the type of data involved in the breach and the risks associated with the breach will be undertaken.
Some types of data are more likely to cause harm if it is compromised. For example, personal information, location data, login information, images, conversations, names and email addresses.
Factors to consider include:
Step 3: Notify individuals and the Commissioner if required.
Swanned Pty Ltd recognises that notification to individuals/organisations affected by a data breach can assist in mitigating any damage for those affected individuals/organisations.
Swanned Pty Ltd will also have regard to the impact upon individuals in recognition of the need to balance the harm and distress caused through notification against the potential harm that may result from the breach. There are occasions where notification can be counterproductive. For example, information collected may be less sensitive and notifying individuals about a privacy breach which is unlikely to result in an adverse outcome for the individual may cause unnecessary anxiety and de-sensitise individuals to a significant privacy breach.
Factors Swanned Pty Ltd will consider when deciding whether notification is appropriate include:
Notification should be done promptly to help to avoid or lessen the damage by enabling the individual/organisation to take steps to protect themselves.
The method of notifying affected individuals/organisations will depend in large part on the type and scale of the breach, as well as immediately practical issues such as having contact details for the affected individuals/organisations. Considerations include the following.
When to notify
In general, individuals/organisations affected by the breach should be notified as soon as practicable. Circumstances where it may be appropriate to delay notification include where notification would compromise an investigation into the cause of the breach or reveal a software vulnerability.
How to notify
Affected individuals/organisations should be notified directly – by telephone, email or within the app.
Indirect notification – such as information posted on the Swanned’s Pty Ltd website, a public notice in a newspaper, or a media release – should generally only occur where the contact information of affected individuals/organisations are unknown, or where direct notification is prohibitively expensive or could cause further harm.
What to say
The notification advice will be tailored to the circumstances of the particular breach.
Content of a notification could include:
It may also be appropriate to notify other third parties, such as:
The OAIC strongly encourages agencies to report serious data breaches involving personal information. The following factors should be considered in deciding whether to report a breach to the OAIC:
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
Swanned Pty Ltd will further investigate the circumstances of the breach to determine all relevant causes and consider what short or long-term measures could be taken to prevent any recurrence.
Preventative actions could include a:
Notifying the Privacy Commissioner
As a matter of good practice, Swanned’s Pty Ltd Director will notify the NSW Privacy Commissioner of a data breach where personal information has been disclosed and there are risks to the privacy of individuals. In doing so Swanned Pty Ltd will ensure that relevant evidence is contained securely for access by the Privacy Commissioner should regulatory action be considered appropriate. Such notification will:
Notification should contain similar content to that provided to individuals/organisations. The personal information about the affected individuals is not required. It may be appropriate to include:
Template response
Dear [name]
I am writing to you with important information about a recent data breach involving your personal information / information about your organisation. The Information and Privacy Commission became aware of this breach on [date].
The breach occurred on or about [date] and occurred as follows:
(Describe the event, including, as applicable, the following):
Please call me with any questions or concerns you may have about the data breach.
We have established a section on our website [insert link] with updated information and links to resources that offer information about this data breach.
We take our role in safeguarding your data and using it in an appropriate manner very seriously.
Please be assured that we are doing everything we can to rectify the situation.
Please note that under the [PPIP Act / HRIP Act / GIPA Act] you are entitled to register a complaint with the NSW Privacy Commissioner or NSW Information Commissioner/CEO with regard to this breach. Complaints may be forwarded to the following:
[insert details]
Should you have any questions regarding this notice or if you would like more information, please do not hesitate to contact me.
Should you have any questions regarding this notice or if you would like more information, please do not hesitate to contact me.
Yours sincerely,
[Insert applicable name and contact information]
Template report and Action
Description of data breach | Action taken |
---|---|
When What How |
Notification Containment |
Description of Risks | Action Proposed |
Risk Harm Affecting |
|
Description of Causes | Action Proposed |
How why |
Change Train Remind Review Stop Media Remedy |
Notification to the NSW Privacy Commissioner |
IF A DATA BREACH OCCURS
Step 1 |
Contain the breach - Take immediate steps to contain - Designate person to coordinate response |
---|---|
Step 2 |
Evaluate the risks - Consider what information is involved - Determine the context of the information - Establish cause and extent - Identify the risk |
Step 3 |
Consider breach notification - Do a risk analysis on a case by case basis - Not all breaches warrant a notification |
Step 4 |
Review the incident and take action to prevent further breaches - Fully investigate cause - Develop prevention plan - Audit the plan - Update data breach response oan - Make changes to policies - Revise staff training |
Contact Persons
The response team includes
IT |
Pratik Kayastha Head of technology Email: support@getswanned.com |
---|---|
Marketing |
Natalie Smith Head of Marketing Email: natalie@getswanned.com |
Finance |
Isla Cameron Head of Finance Email: admin@getswanned.com |
Customer Service |
Natalie Smith Head of Marketing Email: marketing@getswanned.com |
References
This Data Breach Response Plan has been developed in accordance with and with reference to the OAIC’s Data breach notification: a guide to handling information security breaches (The Guide).
In the event of a data breach, the Response Team should reference the Guide as it provides further detail that may be of assistance to the Response Team.
Other References:
Part 7-1 Privacy Act 1988 (Cth)
Version 1:1
Date of effect: September 2021