We’re reader-supported and may be paid when you visit links to partner sites. We don’t compare all products in the market, but we’re working on it!
Australian legislation requires that a business notifies the Australian regulator and the individuals whose data is compromised if it suffers a data breach. Here's our guide to composing a policy that complies with the law and protects the data your company holds.
What is a data breach policy?
A data breach notification policy in Australia sets out how a business responds to unauthorised access, distribution or loss of personal information that it holds. If the company is governed by the Privacy Act 1988, it is required under the data breach notification scheme that came into effect in 2018 to report any breach of data security that could result in personal harm to the Office of the Australian Information Commissioner (OAIC) as well as the individuals affected.
According to the OAIC, the policy should outline your company's strategy for containing, assessing and managing the incident from start to finish. The policy applies to all employees, contractors and any third party that collects or manages personal data on behalf of the business.
If your company operates or holds data on customers in the European Union, it has additional reporting obligations under the European General Data Protection Regulation (GDPR) law.
Download this template at Lawpath
When should I use a data breach policy?
A company that collects and stores personal information, such as addresses and credit card numbers of customers, should have a written policy in place so that if the security of the data is compromised it can investigate and respond immediately, as required by the law.
You should regularly test and review your company's data breach response plan – especially when launching new products or services that involve collecting data – to make sure that the procedures in place are fit for purpose. New employees should be made aware of the policy and all employees that should be involved in a response should have easy access to the document for reference.
What does a data breach policy include and not include?
A data breach policy sets out the responsibilities of specific employees in managing a data breach. It details the steps the company will take to respond to a breach and the obligations it has to report the breach.
What is included in a data breach policy?
An effective policy includes a comprehensive plan to reduce the risk of damage to the company's operations and reputation. It should:
- Clearly define what constitutes a data breach, with relevant examples
- Designate a response team and explain when a breach should be escalated to upper management
- Set out how a breach should be assessed
- Detail the strategy for containing and repairing the breach
- Set out how the company will meet legislative or contractual requirements
- Explain how individuals will be notified that their data has been compromised
- Outline a communications strategy for informing the media, law enforcement and other external parties
- Detail how the incident should be documented
- Specify how the company should review the incident to improve its data security plan in future
What is not included in a data breach policy?
The policy document should not include legal jargon or confusing instructions. It should contain detailed information about the company's data security procedures, but it should not include confidential information about the security systems, such as passwords.
How effective is a data breach policy?
A rapid and comprehensive data breach notification policy is effective in making sure that a company complies with its legal obligations. By responding immediately and reducing the impact of the breach, a company can reduce the costs involved and minimise the impact on its reputation.
Do I need a lawyer for a data breach policy?
You can find resources online to help you write a data breach policy. However, given the serious impact a data breach can have on a company's reputation and finances, it is advisable to have a data protection lawyer review your policy document, or have them draft it for you.
Get access to customisable Data Breach Policy templates online
We update our data regularly, but information can change between updates. Confirm details with the provider you're interested in before making a decision.
How do I write a data breach policy?
A data breach policy should be written in clear language that provides detailed instructions, so employees understand their roles. It should be structured with subheadings, bullet points and numbered lists so it is easy to read and reference quickly in the event that there is a data breach.
Where to get free legal documents and templates like a data breach policy
- Lawpath. Lawpath is an online legal resource for small businesses and entrepreneurs. You can find free samples of a range of documents, including a data breach policy, but you need to sign up for an account to download and customise the file.
- The Fold Legal. The Fold is a law firm that provides a range of document templates that can be purchased for a one-time fee. You can download a data breach policy template for $190.
- Sentrient. Sentrient is a workplace compliance company that offers a range of policy templates in its online human resource management system. You need to register for a free trial to access the documents.Salinger Privacy.
- Salinger Privacy provides consulting and training services focused on compliance with Australian and EU privacy law. Its Compliance Kit includes a data breach policy template in its $2,000 comprehensive kit or $2,999 premium kit.
More guides on Finder
Thinking of making a TPD claim? Learn the 5 key steps to take
If you need to make a claim on your TPD insurance, follow these steps to ensure you have the best chance of making a successful claim.
Violation nation: Aussies spending $600 million per year on parking fines
Australian drivers are shelling out big bucks on parking fines each year according to new research by Finder.
Response to the Inquiry into Future Directions for the Consumer Data Right
Finder's submission in response to the Inquiry into Future Directions for the Consumer Data Right.
Share sale agreement templates
Learn about the key points of share sale agreements and find templates you can download and customise to your needs.
Unincorporated joint venture agreement templates
Create a watertight joint venture agreement with the help of a legal template.
Incorporated joint venture agreement templates
Use a customisable template to help ensure your incorporated joint venture agreement is legally sound.
Service delivery agreement templates
How to download and customise a service delivery agreement to quickly protect your business.
How to start a network engineering business
Here's how to use your IT skills to start your own network engineering business.
How to start a curtains and blinds business
Get all the important details on starting your own curtains and blinds business.
Ask an Expert