We place the highest level of importance on protecting the confidentiality of information that is entrusted to us by our clients. Our commitment includes stringent security processes and technology, as well as compliance with the Australian Privacy Laws (Privacy Act 1988). We have established the following process to be followed by our team members if a Privacy Data Breach should occur at some time in the future.
Communicat’s main business activity is to provide Information Technology services to commercial, government and community service organisations. Therefore, in the event of a serious Privacy Data Breach we would notify our client organisations and it would then be the responsibility of the client to:
- Notify any individuals affected; and
- Comply with their responsibilities under Australian Privacy Laws.
In some rare situations Communicat provides IT services directly to individuals, and in those instances we would notify both the individual and the Australian Information Commissioner.
2. Process to be followed if a Privacy Data Breach occurs or is suspected
2.1 Identify and analyse the incident
- Who would be affected;
- Whether it is likely to result in serious harm; and
- Whether it constitutes a Notifiable Data Breach within the terms of the Australian Privacy Laws.
2.2 Advise Affected Organisations or Individuals
If a Privacy Data Breach is known to have occurred (or is suspected) by any Communicat Team Member they must, within 24 hours, alert the Chief Executive Officer, advising details including:
- When the breach occurred;
- What type of personal information is affected;
- Cause of the breach (if known);
- How it was discovered;
- Which system(s) (if any) may be affected;
- Whether corrective action has taken place.
2.2 Assess and determine the potential impact
The CEO or (in his/her absence) a Team Leader would then consider whether a serious Privacy Data Breach has occurred and the degree of severity:
- Is personal and sensitive information involved?;
- What type and extent of personal information?;
- Are multiple individuals are affected?;
- Is the information is protected by any security measures (password or encryption)?;
- Which person or kinds of persons may have gained unauthorised access?;
- Is there a real risk of serious harm to the affected individuals?;
- Could be media or stakeholder attention as a result of the incident?
If the incident is designated as a serious Privacy Data Breach then the CEO or Team Leader must take corrective action within 24 hours.
3. Taking Corrective Action
Any such incident must be dealt with on a case by case basis according to the circumstances and risks.
The following corrective action will commence within 48 hours, including:
- Immediately contain the breach e.g. recovery of personal information, cease unauthorised access, shut down or isolate the affected system(s);
- Collect and document all available evidence of the breach;
- Call upon necessary expertise, including Communicat cyber security specialists or external advisers if necessary;
- Consider developing a communication strategy including the timing, content and method of any announcements to any affected individuals.
Corrective action shall continue until the matter is fully resolved.
4. After the Event
Once the incident has been resolved we will then consider:
- Lessons learned and remedial action that can be taken to reduce the risk of a future occurrence – this may involve a review of policies, processes or training; and
- Prepare a report for the CEO.
5. Contact details
© Communicat Business Solutions Pty Ltd 2018. All rights reserved