Data Breach Response Policy
The Notifiable Data Breaches Scheme 2018 requires Fishing Station to notify affected individuals and the Australian Information Commissioner, about any eligible data breach which is likely to result in serious harm to any of the individuals to whom the information relates.
An eligible data breach occurs when three criteria are met:
- There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
- This is likely to result in serious harm to one or more individuals, and
- The entity has not been able to prevent the likely risk of serious harm with remedial action.
‘Serious harm’ can be psychological, emotional, physical, reputational, or other forms of harm e.g. identity theft, significant financial loss, loss of employment opportunities, threats to safety.
This policy applies to all staff at Fishing Station. This includes temporary, casual and contractors working on behalf of the company.
It provides a guide for staff to effectively report and contain any data breaches (both suspected and confirmed), to minimise risk associated with the breach and consider what action is necessary to secure data and prevent further breaches.
What Is A ‘Data Breach’?
Examples of a data breach include, but are not limited to:
- Unauthorised access of personal information that the entity holds is accessed by someone who is not permitted to have access. This includes employees of the entity, independent contractors as well as external third parties.
- Unauthorised disclosure occurs when personal information is made accessible or visible to others and releases that information from our effective control.
- Loss refers to the accidental or inadvertent loss of personal information held by the entity in circumstances where it is likely to result in unauthorised access or disclosure.
Data Breach Response Process
1. Data Breach Suspected/Identified
Data breach identified/suspected e.g.:
- Leak / loss of physical materials e.g. data file, loss of laptop/smartphone
- Identification of cyber intrusion
- Unintentional sharing of client or Fishing Station’s data
2. Notify The Security Group
Collect information about the breach and immediately notify Fishing Station’s Security Group – Owners and Supervisors to be notified immediately by text message and meeting as soon as store opens.
3. Security Group Response
Upon receiving information regarding a suspected/confirmed data breach the Security Group must immediately initiate a process of analysis and containment.
- Preliminary Analysis – Conduct a preliminary assessment of the reported breach.
- Contain – Implement steps to contain the breach and reduce the likelihood of harm to affected individuals caused by the breach.
Assess – Consider whether the breach is likely to result in serious harm for any of the individuals whose information is involved.
If Serious Harm is identified then the incident must be treated as an Eligible Breach. The Security Group must:
- Notify the client/individuals effected (as risk of serious harm)
- Notify the Australian Information Commissioner via the Notifiable Breach Form
The notification must contain Fishing Station’s contact details, a description of the breach, the kind/s of information concerned, and recommended steps for the individuals.
The Security Group will review the incident and take action to prevent future breaches.
Actions may include, but are not limited to:
- Audit of physical and technical security
- Review of training practices
- Implementation of new process/procedures
- Reporting to Police, Australian Cyber Security Centre and Industry Groups.
A staff briefing detailing the breach and remediation will be provided in order to ensure continuous improvement and awareness of data breach response procedures.