OIC recommend agencies start developing a Data Breach Policy

June 20, 2024 - 2:11pm

As part of the reforms under the Information Privacy and Other Legislation Amendment Act 2023 (IPOLA Act), a Mandatory Notification Data Breach (MNDB) scheme will commence on 1 July 2025 for the Queensland public sector, including statutory authorities and 1 July 2026 for local government.

Agencies will be required to take certain actions when they know, or reasonably suspect, that a data breach has occurred, keep an eligible data breach register, and prepare and publish a Data Breach Policy.

This policy should outline an agency’s overall strategy for managing a data breach from start to finish.

Having a clear Data Breach Policy will help agencies:

  • prepare for, evaluate and respond to a breach at the appropriate level within the agency and in a timely fashion;
  • mitigate potential harm to individuals and the agency; and
  • meet statutory obligations, including reporting requirements, under the Information Privacy Act 2009.

OIC encourages agencies to:

  • review current systems, policies, and procedures to ensure enough preparation time ahead of the MNDB scheme starting from 1 July 2025
  • identify roles and responsibilities for managing a data breach as this should form part of your agency’s Data Breach Policy
  • consider requirements for subject matter expertise
    • this could include people in your agency (and external providers) responsible for privacy, information security and management, incident response, legal, communications, cybersecurity, physical security, human resources, key agency operations staff and key outsourcing/relationship managers
  • establish escalation procedures for staff including:
    • how to immediately report a suspected breach
    • when line managers can handle a breach
    • the circumstances in which a breach should be escalated to a response team (generally based on severity or the level of response required)

In addition, the Queensland Audit Office recently published its report on Responding to and recovering from cyber attacks. This timely report provides valuable information and makes a number of recommendations to prevent and respond to cyber attacks, which could be reportable under the MNDB scheme.

OIC will continue to publish Guidelines on the IPOLA reforms on our dedicated IPOLA webpage.