We’re reader-supported and may be paid when you visit links to partner sites. We don’t compare all products in the market, but we’re working on it!
Australian legislation requires that a business notifies the Australian regulator and the individuals whose data is compromised if it suffers a data breach. Here's our guide to composing a policy that complies with the law and protects the data your company holds.
What's in this guide?
- What is a data breach policy?
- When should I use a data breach policy?
- What does a data breach policy include and not include?
- How effective is a data breach policy?
- Do I need a lawyer for a data breach policy?
- Get access to customisable Data Breach Policy templates online
- How do I write a data breach policy?
- Where to get free legal documents and templates like a data breach policy
What is a data breach policy?
A data breach notification policy in Australia sets out how a business responds to unauthorised access, distribution or loss of personal information that it holds. If the company is governed by the Privacy Act 1988, it is required under the data breach notification scheme that came into effect in 2018 to report any breach of data security that could result in personal harm to the Office of the Australian Information Commissioner (OAIC) as well as the individuals affected.
According to the OAIC, the policy should outline your company's strategy for containing, assessing and managing the incident from start to finish. The policy applies to all employees, contractors and any third party that collects or manages personal data on behalf of the business.
If your company operates or holds data on customers in the European Union, it has additional reporting obligations under the European General Data Protection Regulation (GDPR) law.
Download this template at Lawpath
When should I use a data breach policy?
A company that collects and stores personal information, such as addresses and credit card numbers of customers, should have a written policy in place so that if the security of the data is compromised it can investigate and respond immediately, as required by the law.
You should regularly test and review your company's data breach response plan – especially when launching new products or services that involve collecting data – to make sure that the procedures in place are fit for purpose. New employees should be made aware of the policy and all employees that should be involved in a response should have easy access to the document for reference.
What does a data breach policy include and not include?
A data breach policy sets out the responsibilities of specific employees in managing a data breach. It details the steps the company will take to respond to a breach and the obligations it has to report the breach.
What is included in a data breach policy?
An effective policy includes a comprehensive plan to reduce the risk of damage to the company's operations and reputation. It should:
- Clearly define what constitutes a data breach, with relevant examples
- Designate a response team and explain when a breach should be escalated to upper management
- Set out how a breach should be assessed
- Detail the strategy for containing and repairing the breach
- Set out how the company will meet legislative or contractual requirements
- Explain how individuals will be notified that their data has been compromised
- Outline a communications strategy for informing the media, law enforcement and other external parties
- Detail how the incident should be documented
- Specify how the company should review the incident to improve its data security plan in future
What is not included in a data breach policy?
The policy document should not include legal jargon or confusing instructions. It should contain detailed information about the company's data security procedures, but it should not include confidential information about the security systems, such as passwords.
How effective is a data breach policy?
A rapid and comprehensive data breach notification policy is effective in making sure that a company complies with its legal obligations. By responding immediately and reducing the impact of the breach, a company can reduce the costs involved and minimise the impact on its reputation.
Do I need a lawyer for a data breach policy?
You can find resources online to help you write a data breach policy. However, given the serious impact a data breach can have on a company's reputation and finances, it is advisable to have a data protection lawyer review your policy document, or have them draft it for you.
Get access to customisable Data Breach Policy templates online
Does your company belong in this list?
How do I write a data breach policy?
A data breach policy should be written in clear language that provides detailed instructions, so employees understand their roles. It should be structured with subheadings, bullet points and numbered lists so it is easy to read and reference quickly in the event that there is a data breach.
Where to get free legal documents and templates like a data breach policy
- Lawpath. Lawpath is an online legal resource for small businesses and entrepreneurs. You can find free samples of a range of documents, including a data breach policy, but you need to sign up for an account to download and customise the file.
- The Fold Legal. The Fold is a law firm that provides a range of document templates that can be purchased for a one-time fee. You can download a data breach policy template for $190.
- Sentrient. Sentrient is a workplace compliance company that offers a range of policy templates in its online human resource management system. You need to register for a free trial to access the documents.Salinger Privacy.
- Salinger Privacy provides consulting and training services focused on compliance with Australian and EU privacy law. Its Compliance Kit includes a data breach policy template in its $2,000 comprehensive kit or $2,999 premium kit.
More guides on Finder
Response to the Inquiry into Future Directions for the Consumer Data Right
Finder's submission in response to the Inquiry into Future Directions for the Consumer Data Right.
How to start a daycare business
Nurture your dream of starting a daycare company with this step-by-step guide.
How to start a T-shirt business
Start building a profitable side hustle by setting up a t-shirt business.
How to start a mobile app business
Learn the key considerations when it comes to starting and growing your smartphone app company.
How to start an ebook writing business
Start your own eBook writing business with our guide to the skills, equipment and legal documents you’ll need.
How to start an accounting business
Find out what you need to know before starting an accounting business.
How to start a baby proofing business
Find out how to start a baby proofing business and run it from home in this guide.
How to start a watch business
Tap into the demand for fashion accessories by opening a watchmaking company.
How to start a homewares business
Find out how to turn your passion for homewares into a profitable business.
How to start an auto mechanic business
How to start an Auto Mechanic Business from scratch, from the equipment, licences to the skills you’ll need.
Ask an Expert