Unfortunately, due to the complexity of digital information, it isn't always easy to know when or where there has been a breach. It's important to have clear procedures for protecting your business' privacy, both to prevent breaches and to help identify them if they occur. Clearly establishing who can access information, and how they can access it, can help you figure out when your business' privacy may have been breached. In cases where procedures have been broken, there may have been a breach.
A breach can also occur unintentionally. For example, personal information can be accidentally shared over email or lost through the theft of a device.
What to do in the event of a breach
- Contain and assess. When possible, you should restrict the unauthorized access. This could mean stopping inappropriate behaviour, shutting down a system, or fixing a weakness. You should also begin an investigation into the breach.
- Evaluate the risks. What information may have been accessed? How sensitive is it? How did the breach occur and could it happen again?
- Notification. Notifying those affected by the breach can help reduce any harm. You have a responsibility to notify those affected. You should determine who, how, and when to notify those affected. You may also need to inform other organizations, such as the police, credit card companies, and regulatory bodies such as the Office of the Privacy Commissioner.
Privacy breaches are serious. Report them to the Office of the Privacy Commissioner.