Home / Privacy / Notifiable Data Breach policy

Notifiable Data Breach policy

Saward Dawson is committed to excellent business practices in regard to the privacy of our clients’ and staffs’ personal information.

Whilst we accept that the possibility of a Data Breach is always possible, we make it a priority to avoid such a situation.

If a NDB should occur, we will implement our Incident Response Plan so as to:
bulletContain the breach
bulletEvaluate the risks
bulletNotify the appropriate parties including the Office of the Australian Information Commissioner (OAIC) if required and
bulletImplement a thorough review with suitable implementation of future preventable actions plans.

 Incident Response Plan

We will recognise a NDB has occurred if:
bulletThere is either unauthorised access to, misuse or interference, or a loss of personal information and
bulletThe listed actions are likely to cause serious harm to the individuals whom the information relates to.

In such circumstances Saward Dawson will:

Step 1. Contain the data breach and make a preliminary assessment

We will take whatever steps are possible to immediately contain the breach. This might include, but not be limited to, the following actions:
bulletStop the unauthorised actions
bulletRecover the data/information
bulletShutdown or appropriately limit the services of the breached systems.

We would then conduct a preliminary assessment of the breach by considering:
bulletWhat personal information is involved?
bulletWhat was the cause of the breach?
bulletWhat is the extent of the breach?
bulletWhat is the likely harm to affected individuals?

Step 2. Evaluate the risks associated with the breach

To determine what other steps are immediately necessary we will assess the associated risks by considering the following factors:
bulletThe type of personal information involved, who is affected and the level of potential harm
bulletThe context of the affected information and the breach. Who has gained unauthorised access and how might the information be used.
bulletThe cause and extent of the breach.
bulletThe risk of serious harm to the affected individuals.
bulletThe risk of other potential harm.

Step 3. Notification

In each case, we will evaluate the breach and consider whether notification is required.

Prompt notification to affected individuals may, in some cases, help mitigate the damage by enabling them to take steps to protect themselves. Saward Dawson will:
bulletTake into account the ability of the individual to take specific steps to mitigate any such harm and
bulletConsider whether it is appropriate to inform other third parties such as the OAIC, the police, or other regulators or professional bodies about the data breach.

Step 4. Incident review

Once the immediate steps have been taken to mitigate the risks associated with the breach, Saward Dawson will undertake to investigate the cause and consider future prevention strategies.

This will include:
bulletConducting an in depth review into the breach and how it was able to occur
bulletIf necessary, preparation and implementation of a prevention plan to reduce the possibility of future similar breaches
bulletRevision of existing policies and procedures with updated staff training if considered necessary.

Subscribe to e-bulletins

Subscribe Now

Stay Connected