Effective and responsive data breach plans – building public confidence
On Tuesday 13 June 2023, the Speaker of the Queensland Legislative Assembly tabled our report in Parliament on government agencies’ assessments of their readiness to respond to data breaches quickly and effectively.
Data breaches are a significant feature in the privacy landscape. Australia’s largest corporate data breaches included cyber-attacks on Optus, Medibank and Latitude Finance, affecting the personal information of millions of Australians.
Government agencies are not immune to the risk of data breaches. Queenslanders entrust government agencies with their personal information. To maintain this trust, agencies need to allocate sufficient time, attention and resources to prevent and manage data breaches.
This was recognised in the independent review into culture and accountability in the Queensland public sector conducted by Professor Peter Coaldrake AO. The Queensland government endorsed the review’s recommendations.
We conducted a survey and asked agencies to report on their planning to respond to data breaches. The survey prompted agencies to reflect on the systems they have in place. All Queensland government agencies should also be alert to current and possible future obligations to report data breaches.
Some agencies reported that they have comprehensive data breach response plans. However, in general, agencies have more work to do to be ready to respond to data breaches effectively.
We recommend that all agencies ensure they have appropriate policies, procedures, plans and strategies in place so they can prevent, detect and respond to data breaches quickly and effectively. For example, a comprehensive data breach response plan can help agencies limit the consequences of a breach, including the risk of harm to individuals whose privacy has been affected. Agencies also need to prepare for mandatory notifications to external stakeholders.
