Professional Documents
Culture Documents
February 2018
This data breach response plan (Response Plan) sets out procedures and clear lines of authority for
AFL staff in the event that the AFL experiences a (potential) data breach.
A data breach will occur when personal information held by the AFL is lost or subjected to
unauthorised access, modification, use or disclosure or other misuse. Data breaches can be caused
or exacerbated by a variety of factors, affect different types of personal information and may give
rise to potential harms to individuals, agencies and organisations.
a) membership forms being incorrectly printed and sent to members, with the first page being
the log-in details of the correct member, but the details of another member inadvertently
printed on the reverse;
b) sending updates to a State Affiliate with an attachment about the status of the workers
compensation claims by employees (including their name, address, date of birth, and health
information about their claimed injury) and accidentally sending to the wrong individual; or
c) losing an unencrypted memory stick holding personal information about players.
This Response Plan will enable the AFL to contain, assess and respond to data breaches in a timely
fashion and to help mitigate potential harm to affected individuals. It sets out contact details for the
appropriate staff in the event of a (potential) data breach, clarifies the roles and responsibilities of
staff and documents processes to assist the AFL to respond.
For example, an AFL employee may, as a result of human error, send an email containing personal
information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the
email can be recalled, or if the employee can contact the recipient and the recipient agrees to delete
the email, subject to confirming the response with the Immediate Responders, it may be that there
is no utility in escalating the issue to the AFL Data Breach Response Team.
The Immediate Responders should use their discretion in determining whether a (potential) data
breach requires escalation to the AFL Data Breach Response Team. In making that determination,
the Immediate Responders should consider the following questions:
Corporate Affairs
& Legal & Risk IT
Secondary
Secondary
contact:
contact: contact:
Elizabeth Lukin
Stephen Meade Toan Tran
or Jay Allen
3. AFL Data Breach Response Team checklist
Process
There are four key steps to consider when responding to a (potential) breach.
The AFL Data Breach Response Team should ideally undertake steps 1, 2 and 3 either simultaneously
or in quick succession.
The AFL Data Breach Response Team should refer to the OAIC’s Data breach notification: a guide to
handling personal information security breaches which provides further detail on each step.
Depending on the nature and extent of the breach, not all steps may be necessary, or some steps
may be combined. In some cases, it may be appropriate to take additional steps that are specific to
the nature and extent of the breach.
In reconsidering AFL processes and procedures to reduce the risk of future breaches (Step 4), the
AFL Data Breach Response Team should also refer to the OAIC’s Guide to securing personal
information. This guide presents options available as to steps and strategies that may be appropriate
for the AFL to take in order to prevent or respond to breaches, and considers actions that may be
appropriate to help prevent further breaches following an investigation.
The following checklist is intended to guide the AFL Data Breach Response Team in the event of a
data breach, and alert the AFL Data Breach Response Team to a range of considerations when
responding to a data breach.
If the AFL has reasonable grounds to believe serious data breach has occurred, it is obligated to
promptly notify individuals at likely risk of serious harm. The Privacy Commissioner must also be
notified as soon as practicable through a statement about the serious data breach.
The notification to affected individuals and the Commissioner must include the following
information:
•Conduct initial investigation, and collect information about the breach promptly,
including:
•the date, time, duration, and location of the breach
•the type of personal information involved in the breach
Step 2 - •how the breach was discovered and by whom
Evaluate the •the cause and extent of the breach
risks for •a list of the affected individuals, or possible affected individuals
individuals •the risk of serious harm to the affected individuals
associated •the risk of other harms.
with the
breach •Determine whether the context of the information is important.
•Establish the cause and extent of the breach.
•Assess priorities and risks based on what is known.
•Keep appropriate records of the (potential) breach and actions of the AFL Data
Breach Response Team, including the steps taken to rectify the situation and the
decisions made.
•Determine who needs to be made aware of the breach (internally, and potentially
externally) at this preliminary stage.
•Determine whether to notify affected individuals – is there a real risk of serious harm
to the affected individuals? In some cases, it may be appropriate to notify the
Step 3 - affected individuals immediately.
Consider •If there is reasonable grounds to believe there has been a serious data breach and
breach remediable action is not effective, notify the Privacy Commissioner setting out (1) a
notification description of the data breach, (2) the kind or kinds of information concerned and (3)
recommendations to individuals about the steps that they should take to minimise
the impact of the breach.
•Consider whether others should be notified, including police/law enforcement, other
agencies or organisations affected by the breach or insurers.