You are on page 1of 5

AFL Data Breach Response Plan

February 2018

This data breach response plan (Response Plan) sets out procedures and clear lines of authority for
AFL staff in the event that the AFL experiences a (potential) data breach.

A data breach will occur when personal information held by the AFL is lost or subjected to
unauthorised access, modification, use or disclosure or other misuse. Data breaches can be caused
or exacerbated by a variety of factors, affect different types of personal information and may give
rise to potential harms to individuals, agencies and organisations.

Examples of what a (potential) data breach might involve are:

a) membership forms being incorrectly printed and sent to members, with the first page being
the log-in details of the correct member, but the details of another member inadvertently
printed on the reverse;
b) sending updates to a State Affiliate with an attachment about the status of the workers
compensation claims by employees (including their name, address, date of birth, and health
information about their claimed injury) and accidentally sending to the wrong individual; or
c) losing an unencrypted memory stick holding personal information about players.

This Response Plan will enable the AFL to contain, assess and respond to data breaches in a timely
fashion and to help mitigate potential harm to affected individuals. It sets out contact details for the
appropriate staff in the event of a (potential) data breach, clarifies the roles and responsibilities of
staff and documents processes to assist the AFL to respond.

AFL experiences (potential) data breach


Discovered by AFL staff member, or AFL otherwise alerted
(e.g. a complaint is made by a person about potentially
improper use of their personal information)

What should the AFL staff member do?


Immediately notify Lauren McInnes (AFL Legal Counsel and Privacy
Officer) and your immediate supervisor (Immediate Responders).
Record and advise the Immediate Responders of the time and date
the suspected breach was discovered, the type of personal
information involved, the cause and extent of the breach, and the
context of the affected information and the breach.

If the Immediate Responders determine that a data


breach has or may have occurred, and that the data
breach is serious (i.e. it is likely to cause harm to a
person), immediately escalate to the AFL Data Breach
Response Team.
1. When should the Immediate Responders escalate a
(potential) data breach to the AFL Data Breach Response
Team?
The Immediate Responders should use their discretion in deciding whether to escalate to the AFL
Data Breach Response Team. Some data breaches may be minor, and able to be dealt with easily
without action from the AFL Data Breach Response Team.

For example, an AFL employee may, as a result of human error, send an email containing personal
information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the
email can be recalled, or if the employee can contact the recipient and the recipient agrees to delete
the email, subject to confirming the response with the Immediate Responders, it may be that there
is no utility in escalating the issue to the AFL Data Breach Response Team.

The Immediate Responders should use their discretion in determining whether a (potential) data
breach requires escalation to the AFL Data Breach Response Team. In making that determination,
the Immediate Responders should consider the following questions:

□ Are multiple individuals affected by the (potential) breach?


□ Is there a real risk of serious harm to the affected individual(s)?
□ Does the breach indicate a systemic problem in AFL processes or procedures?
□ Is there (potential) media or stakeholder attention as a result of the (potential) breach?
□ If the answer to any of these questions is ‘yes’, then it may be appropriate for the Immediate
Responders to notify the AFL Data Breach Response Team.

2. AFL Data Breach Response Team


The Immediate Responders to a (potential) data breach may convene the AFL Data Breach Response
Team. This AFL Data Breach Response Team will be made up at least one member from each of the
following AFL departments:

Corporate Affairs
& Legal & Risk IT

Primary Primary Primary


contact: contact: contact:
Patrick Keane Lauren McInnes Ben Kerswill

Secondary
Secondary
contact:
contact: contact:
Elizabeth Lukin
Stephen Meade Toan Tran
or Jay Allen
3. AFL Data Breach Response Team checklist
Process

There is no single method of responding to a data breach. Data


breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks
involved, and using that risk assessment to decide the appropriate course of action.

There are four key steps to consider when responding to a (potential) breach.

□ STEP 1: Contain the breach and do a preliminary assessment


□ STEP 2: Evaluate the risks associated with the breach
□ STEP 3: Notification
□ STEP 4: Prevent future breaches

The AFL Data Breach Response Team should ideally undertake steps 1, 2 and 3 either simultaneously
or in quick succession.

The AFL Data Breach Response Team should refer to the OAIC’s Data breach notification: a guide to
handling personal information security breaches which provides further detail on each step.

Depending on the nature and extent of the breach, not all steps may be necessary, or some steps
may be combined. In some cases, it may be appropriate to take additional steps that are specific to
the nature and extent of the breach.

In reconsidering AFL processes and procedures to reduce the risk of future breaches (Step 4), the
AFL Data Breach Response Team should also refer to the OAIC’s Guide to securing personal
information. This guide presents options available as to steps and strategies that may be appropriate
for the AFL to take in order to prevent or respond to breaches, and considers actions that may be
appropriate to help prevent further breaches following an investigation.

The following checklist is intended to guide the AFL Data Breach Response Team in the event of a
data breach, and alert the AFL Data Breach Response Team to a range of considerations when
responding to a data breach.

If the AFL has reasonable grounds to believe serious data breach has occurred, it is obligated to
promptly notify individuals at likely risk of serious harm. The Privacy Commissioner must also be
notified as soon as practicable through a statement about the serious data breach.

The notification to affected individuals and the Commissioner must include the following
information:

□ the identity and contact details of the organisation


□ a description of the data breach
□ the kinds of information concerned and;
□ recommendations about the steps individuals should take in response to the data breach.

The draft notifiable data breach form can be found here.


Checklist for action by AFL Data Breach Response Team

•Convene a meeting of the AFL Data Breach Response Team.


Step 1 - •Immediately contain breach.
Contain the
•Inform the AFL Executive, provide ongoing updates on key developments.
breach and
make a •Ensure evidence is preserved that may be valuable in determining the cause of the
preliminary breach, or allowing the AFL to take appropriate corrective action.
assessment •Consider developing a communications or media strategy to manage public
expectations and media interest.

•Conduct initial investigation, and collect information about the breach promptly,
including:
•the date, time, duration, and location of the breach
•the type of personal information involved in the breach
Step 2 - •how the breach was discovered and by whom
Evaluate the •the cause and extent of the breach
risks for •a list of the affected individuals, or possible affected individuals
individuals •the risk of serious harm to the affected individuals
associated •the risk of other harms.
with the
breach •Determine whether the context of the information is important.
•Establish the cause and extent of the breach.
•Assess priorities and risks based on what is known.
•Keep appropriate records of the (potential) breach and actions of the AFL Data
Breach Response Team, including the steps taken to rectify the situation and the
decisions made.

•Determine who needs to be made aware of the breach (internally, and potentially
externally) at this preliminary stage.
•Determine whether to notify affected individuals – is there a real risk of serious harm
to the affected individuals? In some cases, it may be appropriate to notify the
Step 3 - affected individuals immediately.
Consider •If there is reasonable grounds to believe there has been a serious data breach and
breach remediable action is not effective, notify the Privacy Commissioner setting out (1) a
notification description of the data breach, (2) the kind or kinds of information concerned and (3)
recommendations to individuals about the steps that they should take to minimise
the impact of the breach.
•Consider whether others should be notified, including police/law enforcement, other
agencies or organisations affected by the breach or insurers.

Step 4 - •Fully investigate the cause of the breach.


Review the
incident and •Report to AFL Executive on outcomes and recommendations:
take action •Update security and response plan if necessary.
to prevent •Make appropriate changes to policies and procedures if necessary.
future •Revise staff training practices if necessary.
breaches •Consider the option of an audit to ensure necessary outcomes are effecte

You might also like