Updated guidance on privacy breach management

February 12, 2018 - 3:58pm

Mandatory data breach reporting is a topical subject due to the impending introduction of the Notifiable Data Breaches scheme under the Commonwealth Privacy Act 1988 (although should a plague of hacker bunnies ever occur, this too would make the news).

The Information Privacy Act 2009 (Qld) (IP Act) does not impose a mandatory obligation on Queensland government agencies to notify the Office of the Information Commissioner (OIC) or affected individuals in the event of a privacy breach. Regardless, the same principle should apply as in the Commonwealth’s scheme – that the agency should foremost consider the impact of the breach on the victim and take all reasonable steps to minimise any potential damage.

Agencies can also obtain value through notifying OIC in the event of a breach. Not only can we provide advice on responding to the breach, notification enables us to provide a measure of reassurance to community enquiries about the breach. We also strongly encourage that in appropriate circumstances, affected individuals be notified as part of good privacy practice and in the interest of promoting openness and transparency.

To assist agencies in this area, OIC’s guideline on privacy breach management has been updated to provide information on some of the circumstances when it may be appropriate to notify a third party of a privacy breach, such as the Queensland Government Chief Information Office under its ‘Information security incident reporting standard’.

A new template is also available to guide agencies through the key steps in responding to a privacy breach and in capturing a record of its actions and decisions.

Image source: Teach Privacy - Funniest Hacker Stock Photos