Case Study: Data Privacy Review - BREAK consulting
page-template-default,page,page-id-782,qode-quick-links-1.0,ajax_fade,page_not_loaded,,qode_grid_1300,footer_responsive_adv,qode-content-sidebar-responsive,qode-child-theme-ver-1.0.0,qode-theme-ver-11.2,qode-theme-bridge,wpb-js-composer js-comp-ver-5.2.1,vc_responsive

Case Study: Data privacy review for a national service provider

An organisation is contracted to deliver health services nationally, hence they hold personal and health information of over 1 million Australians. Under the Privacy Amendment (Notifiable Data Breaches) Act 2017, they are required to notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an eligible data breach where there is a likely risk of serious harm. A data breach is when personal information held by an entity is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.

The organisation proactively sought to update its privacy policies and procedures to meet the new reporting requirement.

The project outcome was to conduct a health check of privacy procedures and develop a Data Breach Response Plan which addressed the risk assessment, breach containment, and notification processes. In achieving this outcome, it was crucial to engage and educate various states to align the privacy escalation and reporting process.

We acted as the independent reviewer and developer of the data breach response plan

We worked with key leaders and subject matter experts who understood the required changes to:

  • Understand the legislative requirements and align to recommended approaches.
  • Understand the contractual deliverables and obligations.
  • Review of existing privacy policy and procedures, as well as related HR, IT and risk management procedures.
  • Conduct a Health Check of existing privacy processes and documents.
  • Develop draft plans for review, validation and adoption by the national organisation.
  • Conduct education of the state and territory organisations.

The Data Breach Response Plan met the client requirement and was accepted by the Commonwealth.

What we can learn from this project

  • Effective data protection is essential to retain the trust of the client.
  • Early preparation and regular review is important to update procedures and be ready in the event of a suspected breach.
  • Integration with cyber security penetration testing, staff training, and business continuity testing is necessary to inculcate a culture of ‘privacy by design.’
  • Quick and effective response to a data breach is facilitated by a detailed plan supported by a data breach response team.

What the industry said about proactive preparation

Minter Ellison head of cyber risk, Paul Kallenbach: ‘Only 40 per cent of Australian organisations are prepared for the new scheme, having reviewed their policies, data breach response plans, and security controls. Organisations are facing a difficult challenge…and policies need to be specific to the data an organisation holds and they need to be constantly reviewed and adjusted.’