Data Breach Response Policy
A data breach response policy prepares your organisation to respond quickly and lawfully to a data breach — including the mandatory notification obligations under the NDB scheme.
What is a Data Breach Response Policy?
A data breach response policy is an internal document that defines how an organisation identifies, contains, assesses, and responds to data security incidents, including the mandatory notification requirements under Australia's Notifiable Data Breaches (NDB) scheme.
Under the Privacy Act 1988 (Cth), eligible data breaches — those likely to result in serious harm to affected individuals — must be notified to the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, typically within 30 days of becoming aware of the breach. A pre-existing response policy dramatically reduces the time to respond and the risk of regulatory penalties for delayed notification.
When do you need a Data Breach Response Policy?
- ✓Before handling any significant volume of personal data
- ✓As part of a broader cybersecurity and data governance framework
- ✓Before enterprise customers conduct security due diligence
- ✓When ISO 27001, SOC 2, or other security certifications are being pursued
Key provisions to include
Breach Identification
How security incidents are detected, reported internally, and escalated for assessment.
Breach Assessment
Process for determining whether an incident constitutes an eligible data breach under the NDB scheme.
Containment
Immediate steps to limit the impact of the breach — disabling accounts, revoking access, patching vulnerabilities.
OAIC Notification
Timeline and content requirements for notifying the OAIC of an eligible data breach.
Individual Notification
How affected individuals are notified and the information that must be included.
Post-Incident Review
How the incident is reviewed and what changes are made to prevent recurrence.
Record-Keeping
Documentation requirements for all breach incidents, including those that do not meet the NDB notification threshold.
Common mistakes to avoid
Not having a documented response policy before a breach occurs — post-breach planning is always more chaotic and slower
Failing to designate a named individual responsible for breach response — ambiguity about responsibility delays notification
Not training staff to recognise and report potential security incidents promptly
Frequently asked questions
What is the Notifiable Data Breaches scheme?
The NDB scheme, introduced under the Privacy Act 1988 in February 2018, requires entities covered by the Act to notify the OAIC and affected individuals of 'eligible data breaches' — those involving personal information, a loss of access to data, or a security compromise that is likely to result in serious harm to affected individuals.
How long do I have to notify the OAIC of a data breach?
Once an entity becomes aware of an eligible data breach, it must notify the OAIC as soon as practicable. There is no fixed 72-hour deadline as in the GDPR, but the OAIC expects notification within 30 days of becoming aware of the breach. Unnecessary delays can result in regulatory action.
Related documents
Draft your Data Breach Response Policy in minutes
Try Neureson free for 3 days — no credit card required.
Start for free →