The announcement of increased penalties for misuse of personal information by entities covered by the Privacy Act serves as a reminder of the importance of ensuring that your not-for-profit organisation has robust data and personal information handling practices in place. Is your organisation prepared to handle and respond to a data breach?
While it’s easy to think that this will never happen to you, the evidence shows that data breaches are by no means rare occurrences in Australia. Over 964 data breaches were reported to the Office of the Australian Information Commission during the first year of the notifiable data breach scheme alone, of which 60% were the result of malicious or criminal attacks.
This policy must be kept up to date and should provide clear and detailed information on your collection and use of information including:
- What type of personal information your organisation collects;
- How and why your organisation collects that information;
- How your organisation will hold the information it collects;
- What purposes will your organisation use the information for; and
- Who will have access to the information, and how is it being protected.
Data breach response plan
The next step is to consider how your organisation will respond in the event of a suspected data breach. Prudent not-for-profit organisations should ensure that they have an appropriate data breach response plan in place in advance which addresses:
- Who is responsible for handling and responding to a suspected data breach?
- How will a suspected data breach be investigated?
- What steps must be taken if a data breach has occurred?
- Who must be notified of the data breach and how must this occur?
- What steps must be taken to minimise the risk of harm to affected clients?
- What timeframes apply to responding to the data breach?
These are just a few of the issues to consider in relation to the collection and management of data and personal information.
Please contact us if you would like further information about your organisation’s privacy or data breach obligations under the Privacy Act.