SYSTEMology is an Australian-based company and as such, we take on board a lot of the local rules and regulations around breaches, including but not limited to the following:
The Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia. Commencing on 22 February 2019, the NDB scheme requires organisations covered by the Australian Privacy Act 1988 (the Act) to notify any individuals likely to be at risk of serious harm by a data breach. We take privacy extremely seriously and it is our utmost priority to keep our clients and clients' data safe.
While we see data and privacy protection as our highest priority, it’s worth noting that SYSTEMology and systemHUB have not had any breaches in its six-year history, and getting this data breach policy in place is us being proactive.
WHAT IS A DATA BREACH?
A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuses. Personal information is information or an opinion about an identified or reasonably identifiable individual. Data breaches may include a range of different things, e.g. unauthorised access by a third party, information accidentally being uploaded to a public website or a laptop or USB drive containing personal information being lost or stolen.
WHICH DATA BREACHES ARE NOTIFIABLE?
Under the act listed above, not all data breaches require notification. With that said, SYSTEMology and systemHUB go above and beyond what they’re required to do to keep you in the loop. Obviously, we want to make sure that we keep your personal information safe should anything happen. We’ll assess any data breaches and take the immediate response and keep you informed.
DATA BREACH RESPONSE PLAN
As you can imagine, we’re lovers of systems and processes, so we’ve put together a plan. This response plan is intended to enable systemHUB and SYSTEMology to contain, assess and respond to data breaches in a timely fashion and to help mitigate potential harm to affected individuals. It sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist systemHUB and SYSTEMology to respond to a data breach.
DATA BREACH RESPONSE PROCESS
Clearly, all circumstances are unique and there are always different sets of variables with no case being exactly the same, so we need to deal with breaches if and when they occur on a case-by-case basis and we take the following four steps:
STEP 1: Contain the breach and do a preliminary assessment
STEP 2: Evaluate the risks associated with the breach
STEP 3: Notification
STEP 4: Prevent future breaches
The Response Team should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession. Refer to the detailed checklist at the end of this plan.
Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach. The checklist at the end of this plan is intended to guide the Response Team in the event of a data breach and alert the Response Team to a range of considerations when responding to a data breach.
EVALUATING A SERIOUS RISK OF HARM TO AN INDIVIDUAL OR COMPANY
In evaluating whether there is a serious risk of harm to an individual whose information is the subject of a data breach, the Response Team must consider:
-
what type of personal information is involved (and in particular, whether it is sensitive information);
-
whether there are any protections that would prevent the party who receives (or may have received) the personal information from using it (e.g., if it is encrypted);
-
the nature of the harm that could arise from the breach
-
what steps have been taken to remedy the breach (and how certain SYSTEMology and systemHUB are that we are effective)
what type of personal information is involved (and in particular, whether it is sensitive information);
whether there are any protections that would prevent the party who receives (or may have received) the personal information from using it (e.g., if it is encrypted);
the nature of the harm that could arise from the breach
what steps have been taken to remedy the breach (and how certain SYSTEMology and systemHUB are that we are effective)
We are straight shooters who pride our reputation and always act with our client's best interests at heart. We are committed to communicating with you in a timely manner should things arise and give you honest, straightforward information about where we’re at and what we need to do.
As mentioned above, it is clearly our goal to avoid all of these, but getting this document in place is the best course of action for SYSTEMology and systemHUB to get ahead of things.