CRH Law articles


Are you prepared for a data breach?

Share this article

Share on facebook
Share on twitter
Share on linkedin

The announcement of increased penalties for misuse of personal information by entities covered by the Privacy Act serves as a reminder of the importance of ensuring that your not-for-profit organisation has robust data and personal information handling practices in place. Is your organisation prepared to handle and respond to a data breach?

While it’s easy to think that this will never happen to you, the evidence shows that data breaches are by no means rare occurrences in Australia. Over 964 data breaches were reported to the Office of the Australian Information Commission during the first year of the notifiable data breach scheme alone, of which 60% were the result of malicious or criminal attacks.

Privacy policy & privacy notice

The starting point when it comes to strong data and personal information practices is your not-for-profit organisation’s privacy policy. An effective privacy policy will help the public to understand how your organisation will handle the personal information it collects.

This policy must be kept up to date and should provide clear and detailed information on your collection and use of information including:

  • What type of personal information your organisation collects;
  • How and why your organisation collects that information;
  • How your organisation will hold the information it collects;
  • What purposes will your organisation use the information for; and
  • Who will have access to the information, and how is it being protected.

Periodically reviewing your privacy policy is an effective way to make sure that you understand exactly what types of personal information and data your organisation is collecting, and how you are handling that data and information.

The privacy policy should also be supported by a separate notice of collection to be given to your clients to sign at or before the time your organisation collects their personal information.

Data breach response plan

The next step is to consider how your organisation will respond in the event of a suspected data breach. Prudent not-for-profit organisations should ensure that they have an appropriate data breach response plan in place in advance which addresses:

  • Who is responsible for handling and responding to a suspected data breach?
  • How will a suspected data breach be investigated?
  • What steps must be taken if a data breach has occurred?
  • Who must be notified of the data breach and how must this occur?
  • What steps must be taken to minimise the risk of harm to affected clients?
  • What timeframes apply to responding to the data breach?

These are just a few of the issues to consider in relation to the collection and management of data and personal information.

Please contact us if you would like further information about your organisation’s privacy or data breach obligations under the Privacy Act.

Share this article

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Need expert legal help now?

Don’t hesitate to contact CRH Law. We have helped many people in the same situations as you’re probably in. We hope to hear from you soon.

Scroll Up
close slider

Get in touch

Use the form below to get in touch with CRH Law.
  • This field is for validation purposes and should be left unchanged.