Reporting requirements under the industry privacy code

As the Code Administrator, AMSRO is required to monitor compliance by member organisations with the Code and investigate serious and repeated breaches and systemic issues about code compliance.

It’s important member organisations maintain a culture of privacy protection and review all privacy breaches with AMSRO, to ensure that they implement appropriate improvement in privacy protection. Organisations therefore need to ensure they implement practices, procedures and systems for handling enquiries and complaints with respect to its compliance with the Industry Privacy Code and the Australian Privacy Principles (APPs). To ensure the process is fair and consistent, complaints and enquiries should be referred to a single point of contact being the Privacy Officer. Details of complaints must also be logged to make sure that any serious or systemic issues are identified and acted upon.

Key steps in responding to a data breach

Step 1

  • Take immediate steps to contain the breach
  • Make a preliminary assessment of how the breach occurred
  • Try to rectify the issue as soon as possible

Step 2

  • Establish the cause and extent of the breach
  • Consider what personal information is involved, directly or by implication
  • Determine whether the context of the information is important
  • Evaluate the nature of risks for individuals associated with the breach
  • Identify what is the potential risk of harm, including e.g. re-identification, identity theft, fraud, or compromise of generic password
  • Consider protective steps an affected individual may need to take, and how urgently
  • If unresolved, report the complaint/breach to AMSRO
  • Some notifications to individuals may need to be done urgently or immediately, to enable individuals to protect themselves from further consequences

Step 3                                                               

  • Risk analysis on a case-by-case basis
  • Consider breach notification to the regulator (www.oaic.gov.au)
  • Consider breach notification to the individuals affected
  • Not all breaches necessarily warrant notification (very low impact risks with very low probability of manifesting)
  • Uncertainty or ambiguity about what happened elevates the risk

(Consider any mandatory notification requirements under US or EU law, if applicable, and under Australian law, if and when it is passed.)

Recommended complaint handling procedure

Procedure Timeline
A complaint is received about an alleged breach of the Privacy Code/APPs
Complaint must be forwarded to the Privacy Officer 7 days
The Privacy Officer must make a determination on the complaint and advise the complainant in writing. 30 days from date of receipt
Privacy Officer will keep a record of all complaints and determinations. This will comprise a register and file records that will be securely stored in accordance with the Code /APP 11. On-going
If the Privacy Officer determines there has been a breach of the Code/APPs he/she will, upon notification to the complainant, advise the relevant personnel in writing of any action required to remedy the breach. Upon determination
If breach is incapable of being rectified and is not rectified within 30 days, the Privacy Officer must inform the Managing Director and AMSRO about the failure to rectify the breach. 30 days from determination

Should the Privacy Officer be aware that the complainant remains unsatisfied following the completion of the above process, they must  inform AMSRO using the online reporting form (following).

AMSRO Privacy Complaint form

General tips for responding to a data breach

  1. Take each situation seriously and move immediately to contain and assess the breach.
  2. Breaches that may initially seem immaterial may be significant when their full implications are assessed.
  3. Organisations should undertake steps 1 & 2 either simultaneously or in quick succession. In some cases it may be appropriate to notify individuals immediately, before containment or assessment of the breach occurs.
  4. The decision on how to respond should be made on a case-by-case basis. Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, organisations may choose to take additional steps that are specific to the nature of the breach.
  5. If the breach is unresolved, and the complaintant dissatisfied, inform and work with AMSRO to rectify the matter.