Black Friday savings continue! 🥳

Get the biggest bargains of Cyber weekend

Free data breach policy templates (Australia)

Make sure your business complies with data protection law with a data breach policy.

Posted

Fact checked

We’re reader-supported and may be paid when you visit links to partner sites. We don’t compare all products in the market, but we’re working on it!

Australian legislation requires that a business notifies the Australian regulator and the individuals whose data is compromised if it suffers a data breach. Here's our guide to composing a policy that complies with the law and protects the data your company holds.

What is a data breach policy?

A data breach notification policy in Australia sets out how a business responds to unauthorised access, distribution or loss of personal information that it holds. If the company is governed by the Privacy Act 1988, it is required under the data breach notification scheme that came into effect in 2018 to report any breach of data security that could result in personal harm to the Office of the Australian Information Commissioner (OAIC) as well as the individuals affected.

According to the OAIC, the policy should outline your company's strategy for containing, assessing and managing the incident from start to finish. The policy applies to all employees, contractors and any third party that collects or manages personal data on behalf of the business.

If your company operates or holds data on customers in the European Union, it has additional reporting obligations under the European General Data Protection Regulation (GDPR) law.

When should I use a data breach policy?

A company that collects and stores personal information, such as addresses and credit card numbers of customers, should have a written policy in place so that if the security of the data is compromised it can investigate and respond immediately, as required by the law.

You should regularly test and review your company's data breach response plan – especially when launching new products or services that involve collecting data – to make sure that the procedures in place are fit for purpose. New employees should be made aware of the policy and all employees that should be involved in a response should have easy access to the document for reference.

Data breach policy vs privacy policy

A privacy policy covers how a company handles the personal information it stores, while a data breach notification policy specifically details the company's plan for how it will respond if the security of the data is compromised.

What does a data breach policy include and not include?

A data breach policy sets out the responsibilities of specific employees in managing a data breach. It details the steps the company will take to respond to a breach and the obligations it has to report the breach.

What is included in a data breach policy?

An effective policy includes a comprehensive plan to reduce the risk of damage to the company's operations and reputation. It should:

  • Clearly define what constitutes a data breach, with relevant examples
  • Designate a response team and explain when a breach should be escalated to upper management
  • Set out how a breach should be assessed
  • Detail the strategy for containing and repairing the breach
  • Set out how the company will meet legislative or contractual requirements
  • Explain how individuals will be notified that their data has been compromised
  • Outline a communications strategy for informing the media, law enforcement and other external parties
  • Detail how the incident should be documented
  • Specify how the company should review the incident to improve its data security plan in future

What is not included in a data breach policy?

The policy document should not include legal jargon or confusing instructions. It should contain detailed information about the company's data security procedures, but it should not include confidential information about the security systems, such as passwords.

How effective is a data breach policy?

A rapid and comprehensive data breach notification policy is effective in making sure that a company complies with its legal obligations. By responding immediately and reducing the impact of the breach, a company can reduce the costs involved and minimise the impact on its reputation.

Do I need a lawyer for a data breach policy?

You can find resources online to help you write a data breach policy. However, given the serious impact a data breach can have on a company's reputation and finances, it is advisable to have a data protection lawyer review your policy document, or have them draft it for you.

Data indicated here is updated regularly
Name Product What's offered? Starting price to become a member Annual Fee Are legal documents free?
Lawpath
Legal documents and templates, Access to lawyers, Legal guides, Legal advice
$79 per month (billed monthly)
Essentials: $288
You can view samples for free and you can create your first document for free.
Choose an annual plan from just $288 and get unlimited revisions to your legal or business documents. Plus, unlock exclusive partner offers.
LawDepot
Legal documents and templates, Access to lawyers, Legal guides, Legal advice
$7.99 per month (prepaid for one year)
$59.88
You can view samples for free and you can create your first document for free.
Get free legal documents in five to ten minutes.
Legal123
Legal123
Legal documents and templates, Access to lawyers, Legal guides, Legal advice
Varies per template
N/A
You can choose from a wide range of templates and packages.
Get legal templates for any business type in Australia.
Sprintlaw
Legal documents and templates, Access to lawyers, Legal guides, Legal advice
Assessment first
$799
No
LegalVision
Legal documents and templates, Access to lawyers, Legal guides, Legal advice
$199 per month (bill monthly)
N/A
Some documents are free to download. Get access to all documents with a membership.
Your business can take advantage of unlimited lawyer consultations, fast turnaround times and free legal templates with LegalVision.
loading

Compare up to 4 providers

How do I write a data breach policy?

A data breach policy should be written in clear language that provides detailed instructions, so employees understand their roles. It should be structured with subheadings, bullet points and numbered lists so it is easy to read and reference quickly in the event that there is a data breach.

  • Lawpath. Lawpath is an online legal resource for small businesses and entrepreneurs. You can find free samples of a range of documents, including a data breach policy, but you need to sign up for an account to download and customise the file.
  • The Fold Legal. The Fold is a law firm that provides a range of document templates that can be purchased for a one-time fee. You can download a data breach policy template for $190.
  • Sentrient. Sentrient is a workplace compliance company that offers a range of policy templates in its online human resource management system. You need to register for a free trial to access the documents.Salinger Privacy.
  • Salinger Privacy provides consulting and training services focused on compliance with Australian and EU privacy law. Its Compliance Kit includes a data breach policy template in its $2,000 comprehensive kit or $2,999 premium kit.

More guides on Finder

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site