Reporting requirements under the industry privacy code

As the Code Administrator, ADIA (formerly AMSRO) is required to monitor compliance by member organisations and investigate serious and repeated breaches and systemic issues about Code compliance. This requirement supports ADIA’s reporting responsibility to the Office of the Australian Information Commissioner (OAIC) and ensures that due process is followed. This requirement is outlined in Part H of the Privacy Code.

Member organisations must maintain a culture of privacy protection and review all privacy breaches with ADIA to ensure that they implement appropriate improvements in privacy protection. Organisations, therefore, need to ensure they implement practices, procedures and systems for handling enquiries and complaints with respect to compliance with the Industry Privacy Code and the Australian Privacy Principles (APPs). To ensure the process is fair and consistent, complaints and enquiries should be referred to a single point of contact, the Privacy Officer. Details of complaints must also be logged to make sure that any serious or systemic issues are identified and acted upon.

Key steps in responding to a data breach

Step 1

• Take immediate steps to contain the breach
• Make a preliminary assessment of how the breach occurred
• Try to rectify the issue as soon as possible

Step 2

• Establish the cause and extent of the breach
• Consider what personal information is involved, directly or by implication
• Determine whether the context of the information is important
• Evaluate the nature of risks for individuals associated with the breach
• Identify what is the potential risk of harm, including, e.g. re-identification, identity theft, fraud, or compromise of a generic password
• Consider protective steps an affected individual may need to take and how urgently
• If unresolved, report the complaint/breach to ADIA
• Some notifications to individuals may need to be done urgently or immediately to enable individuals to protect themselves from further consequences

Step 3                                                               

• Risk analysis on a case-by-case basis
• Consider breach notification to the regulator (www.oaic.gov.au)
• Consider breach notification to the individuals affected
• Not all breaches necessarily warrant notification (very low impact risks with very low probability of manifesting)
• Uncertainty or ambiguity about what happened elevates the risk

(Consider any mandatory notification requirements under US or EU law, if applicable, and under Australian law, if and when it is passed.)

Recommended complaint handling procedure

Should the Privacy Officer be aware that the complainant remains unsatisfied following the completion of the above process, they must inform ADIA using the online reporting form (following).

General tips for responding to a data breach

1. Take each situation seriously and move immediately to contain and assess the breach.
2. Breaches that may initially seem immaterial may be significant when their full implications are assessed.
3. Organisations should undertake steps 1 & 2 either simultaneously or in quick succession. In some cases it may be appropriate to notify individuals immediately, before containment or assessment of the breach occurs.
4. The decision on how to respond should be made on a case-by-case basis. Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, organisations may take additional steps specific to the nature of the breach.
5. If the breach is unresolved and the complainant is dissatisfied, inform and work with ADIA to rectify the matter.