LIONSHEART STUDIOS PTY LTD
DATA BREACH RESPONSE PLAN
Purpose
To set out procedures to implement the mandatory notifiable data breaches scheme that applies under the Privacy Act 1988.
Definitions
Data breach means unauthorised access to, or unauthorised disclosure of, personal information or a loss of personal information. Examples of a data breach are when a device containing personal information is lost or stolen, an entity’s database containing personal information is hacked or an entity mistakenly provides personal information to the wrong person.
Notifiable data breach means a data breach that is likely to result in serious harm, which must be notified to affected individuals and the Office of the Australian Information Commissioner (OAIC).
Personal information means information or an opinion about an individual who is identified, or who can reasonably be identified, from the information, whether or not the information or opinion is true or recorded in a material form, and includes sensitive information; and
Sensitive information means information or an opinion that is also personal information, about a person’s racial or ethnic origin, political opinions, memberships of political, professional and trade associations and unions, religious and philosophical beliefs, sexual orientation or practises, criminal history, health information, and genetic and biometric information.
Procedure
Identification of a breach
- LionsHeart (LHS hereafter) experiences data breach or a data breach is suspected: this may be discovered by a LHS staff member, or an LHS staff member may be alerted by another party or system.
- When a LHS staff member discovers or is alerted to a data breach they must immediately notify LHS Privacy Officer via email at playconomics@lionsheartstudios.com and provide as much information as possible such as the time and date the known or suspected breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.
- Any immediate steps available to contain the breach must be identified and implemented as a matter of urgency. Reducing the scale and impact of a data breach must be paramount. All known or suspected data breaches must still be documented internally by the LHS.
Assessment of a breach
- Not all data breaches are notifiable. If, after an initial investigation, LHS suspects a notifiable data breach may have occurred, a reasonable and expeditious assessment must be undertaken to determine if the data breach is likely to result in serious harm to any individual affected.
- LHS Privacy Officer will review all the information available to assess the suspected breach. In assessing a suspected breach, LHS Privacy Officer may require assistance and information from all its teams.
- There will then be an evaluation of the scope and possible impact of the breach. The LHS Privacy Officer will assess if a breach is likely to be notifiable and ensure appropriate actions including reporting to the OAIC. An assessment of a known or suspected breach must be conducted expeditiously and where possible should be completed within 30 days.
- In all cases the assessment will identify what actions must be taken. These will be documented and acted upon as soon as possible.
- There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
- There are four key steps to consider when responding to a breach or suspected breach.
- STEP 1: Contain the breach and do a preliminary assessment
- STEP 2: Evaluate the risks associated with the breach
- STEP 3: Notification to OAIC and affected individuals
- STEP 4: Prevent future breaches
A notifiable breach
- A breach which is assessed as likely to result in serious harm to individuals whose personal information is involved, is a notifiable data breach. Such data breaches must be notified to the affected individuals and the OAIC. Notice must include information about the breach and the steps taken in response to the breach.
- If LHS has responded quickly to the breach, and as a result of this action the data breach is not likely to result in serious harm, there is no need to notify individuals or the OAIC. However, LHS may decide to tell the affected individuals about the incident if it is considered appropriate.
- The risk of serious harm will be assessed by considering both the likelihood of the harm occurring and the consequences of the harm.
- Notification to the OAIC and internally within LHS is the responsibility of the LHS Privacy Officer.
- Notification to individuals may be undertaken by the LHS Privacy Officer.
- Notifications will follow the format identified by the OAIC in Data breach preparation and response.
Response team
A response team will be formed for a serious breach. The team will include all senior LHS staff members and the LHS Privacy Officer, as well as a legal team that will provide legal advice and compliance.
Breaches that are not serious
Breaches that are not assessed as serious breaches may be handled by the senior LHS staff members, but must be reported to the LHS Privacy Officer.
Records
Documentation will be stored by LHS electronically for each suspected breach.
Questions? Contact playconomics@lionsheartstudios.com
Updated September 2023