ADIA > Member services > Privacy > Reporting requirements under the Industry Privacy Code

Reporting requirements under the Industry Privacy Code

As the Administrator of the Privacy (Market and Social Research) Code 2021, ADIA is required to monitor compliance by member organisations and investigate serious and repeated breaches and systemic issues related to Code compliance. This requirement supports ADIA’s reporting responsibility to the Office of the Australian Information Commissioner (OAIC) and ensures that due process is followed. This requirement is outlined in Part H of the Privacy Code.

Member organisations must maintain a culture of privacy protection and review all privacy breaches with ADIA to ensure that they implement appropriate improvements in privacy protection. Organisations, therefore, need to ensure they implement practices, procedures and systems for handling enquiries and complaints with respect to compliance with the Industry Privacy Code and the Australian Privacy Principles (APPs). To ensure the process is fair and consistent, complaints and enquiries should be referred to a single point of contact, the Privacy Officer. Details of complaints must also be logged to make sure that any serious or systemic issues are identified and acted upon.

Key steps in responding to a data breach

Step 1

  • Take immediate steps to contain the breach
  • Make a preliminary assessment of how the breach occurred
  • Try to rectify the issue as soon as possible

Step 2

  • Establish the cause and extent of the breach
  • Consider what personal information is involved, directly or by implication
  • Determine whether the context of the information is important
  • Evaluate the nature of risks for individuals associated with the breach
  • Identify what the potential risk of harm, including, e.g. re-identification, identity theft, fraud, or compromise of a generic password is
  • Consider protective steps an affected individual may need to take and how urgently
  • If unresolved, report the complaint/breach to ADIA
  • Some notifications to individuals may need to be done urgently or immediately to enable individuals to protect themselves from further consequences

Step 3                                                               

  • Risk analysis on a case-by-case basis
  • Consider breach notification to the regulator (www.oaic.gov.au)
  • Consider breach notification to the individuals affected
  • Not all breaches necessarily warrant notification (very low impact risks with very low probability of manifesting)
  • Uncertainty or ambiguity about what happened elevates the risk

(Consider any mandatory notification requirements under US or EU law, if applicable, and under Australian law, if and when it is passed.)

Recommended complaint handling procedure

Procedure Timeline
A complaint is received about an alleged breach of the Privacy Code/APPs
The complaint must be forwarded to the Privacy Officer 7 days
The Privacy Officer must make a determination on the complaint and advise the complainant in writing. 30 days from date of receipt
The Privacy Officer will keep records of all complaints and determinations. This will comprise a register and file records that will be securely stored in accordance with the Code /APP 11. On-going
If the Privacy Officer determines there has been a breach of the Code/APPs, he/she will, upon notification to the complainant, advise the relevant personnel in writing of any action required to remedy the breach. Upon determination
If the breach is incapable of being rectified and is not rectified within 30 days, the Privacy Officer must inform the Managing Director and ADIA about the failure to rectify the breach. 30 days from the determination

If the Privacy Officer is aware that the complainant remains unsatisfied after completing the above process, they must inform ADIA using the online reporting form (following).

ADIA Privacy Complaint form

  • MM slash DD slash YYYY
  • MM slash DD slash YYYY

General tips for responding to a data breach

  1. Take each situation seriously and move immediately to contain and assess the breach.
  2. Breaches that may initially seem immaterial may be significant when their full implications are assessed.
  3. Organisations should undertake steps 1 & 2 either simultaneously or in quick succession. In some cases, it may be appropriate to notify individuals immediately before containment or assessment of the breach occurs.
  4. The decision on how to respond should be made on a case-by-case basis. Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, organisations may take additional steps specific to the nature of the breach.
  5. If the breach is unresolved and the complainant is dissatisfied, inform and work with ADIA to rectify the matter.