Notifiable Data Breach policy

Saward Dawson is committed to excellent business practices in regard to the privacy of our clients’ and staffs’ personal information.

Whilst we accept that the possibility of a Data Breach is always possible, we make it a priority to avoid such a situation.

If a NDB should occur, we will implement our Incident Response Plan so as to:

  • Contain the breach
  • Evaluate the risks
  • Notify the appropriate parties including the Office of the Australian Information Commissioner (OAIC) if required and
  • Implement a thorough review with suitable implementation of future preventable actions plans.

 Incident Response Plan

We will recognise a NDB has occurred if:

  • There is either unauthorised access to, misuse or interference, or a loss of personal information and
  • The listed actions are likely to cause serious harm to the individuals whom the information relates to.

In such circumstances Saward Dawson will:

Step 1. Contain the data breach and make a preliminary assessment

We will take whatever steps are possible to immediately contain the breach. This might include, but not be limited to, the following actions:

  • Stop the unauthorised actions
  • Recover the data/information
  • Shutdown or appropriately limit the services of the breached systems.

We would then conduct a preliminary assessment of the breach by considering:

  • What personal information is involved?
  • What was the cause of the breach?
  • What is the extent of the breach?
  • What is the likely harm to affected individuals?

Step 2. Evaluate the risks associated with the breach

To determine what other steps are immediately necessary we will assess the associated risks by considering the following factors:

  • The type of personal information involved, who is affected and the level of potential harm
  • The context of the affected information and the breach. Who has gained unauthorised access and how might the information be used.
  • The cause and extent of the breach.
  • The risk of serious harm to the affected individuals.
  • The risk of other potential harm.

Step 3. Notification

In each case, we will evaluate the breach and consider whether notification is required.

Prompt notification to affected individuals may, in some cases, help mitigate the damage by enabling them to take steps to protect themselves. Saward Dawson will:

  • Take into account the ability of the individual to take specific steps to mitigate any such harm and
  • Consider whether it is appropriate to inform other third parties such as the OAIC, the police, or other regulators or professional bodies about the data breach.

Step 4. Incident review

Once the immediate steps have been taken to mitigate the risks associated with the breach, Saward Dawson will undertake to investigate the cause and consider future prevention strategies.

This will include:

  • Conducting an in depth review into the breach and how it was able to occur
  • If necessary, preparation and implementation of a prevention plan to reduce the possibility of future similar breaches
  • Revision of existing policies and procedures with updated staff training if considered necessary.