Australia Updates Breach GuidanceResponse Guide Calls for Risk Analysis Approach
The Office of the Australian Information Commissioner has released new guidance for agencies and organizations to respond effectively to data breaches.
Titled "Data breach notification: A guide to handling personal information security breaches," the guidance is an update of an August 2008 document that was prepared "to keep pace with the changing attitudes and approaches to data breach management," according to the OAIC.
The voluntary guide calls for a risk analysis approach. "Agencies and organisations should evaluate data breaches on a case-by-case basis and make decisions on actions to take according to their own assessment of risks and responsibilities in their particular circumstances," OAIC explains on the guide's resource page.
According to the resource page, the guide was developed for the Australian government, private sector organizations and Norfolk island agencies, all of which handle personal information covered by the Privacy Act.
The guide explains that organizations should put in reasonable measures to deal with data breaches, including notification to affected individuals and the OAIC, "while legislative change is considered by the government."
In implementing security safeguards around personal information, the guide suggests organizations consider the following steps in fulfilling their information security obligations:
- Conduct risk and privacy impact assessments;
- Develop an information security policy;
- Train staff;
- Create a position to deal with data breaches;
- Implement privacy enhancing technologies;
- Monitor and review for compliance with security policy;
- Measure performance against Australian and international standards.