The Australian Office of the Privacy Commissioner has released a consultation draft of data breach response guidelines.
The guidelines recommend four steps in responding to a breach:
- Contain the breach and do a preliminary assessment.
- Evaluate the risks associated with the breach, for example, what information is involved, who and what caused the breach, who is affected, and what is the risk of harm to those affected.
- Consider and issue notification.
- When to notify? Most importantly, the OPC has recommended a harm-based analysis for notification: "In general, if an information security breach creates a real risk of serious harm to the individual, those affected should be notified."
- How to notify? Notification may be sent directly to the affected individuals, for example by phone, mail, in person or (notably) email. Indirect notification, for example, in the media or posted on a website, should occur only when direct notification could cause further harm, when costs are prohibitive, or when contact details for affected individuals cannot be determined.
- What to notify? The draft recommends type of information involved, how the company has responded, what assistance is being provided to affected individuals or other sources of information available, company contact details, whether the regulator has been notified, and how a complaint may be lodged with the Privacy Commissioner.
- Prevent future breaches.
While the Privacy Commissioner has issued these voluntary guidelines, she has also recommended mandatory breach notification to be included in the coming rewrite of the Privacy Act. So this draft provides insight into how Australia might incorporate such a notification requirement.
Comments have been requested by June 16, 2008 and can be sent to firstname.lastname@example.org.