Purpose

This plan outlines Behaviour Help’s procedures for identifying, containing, assessing, and responding to data breaches involving personal information in accordance the Australian Privacy Act 1988 (Cth) (the Privacy Act).

What is a data breach?

A data breach occurs when personal information held by the organisation is lost or subjected to unauthorised access, disclosure, modification, misuse, or interference. This includes both accidental and deliberate incidents.

Data breach response steps

If you suspect that a data breach has occurred immediately escalate the matter to Behaviour Help’s Privacy Officer. Any significant incidents must be escalated to executive management and a response team convened.

1. Contain the breach

Behaviour Help must take steps to end the data breach and prevent any further unauthorized access, loss or disclosure of information. The Privacy Officer will coordinate with IT to ensure that any affected systems of networks are isolated and the IT environment is secured.

The IT team must ensure that any evidence and network logs are preserved for investigation purposes and should document all actions taken to contain the breach.

Take steps to maintain privilege over communications:

• Label documents “Confidential and privileged – prepared for the purpose of legal advice”
• Restrict the sharing of privileged documents and communications
• Do not paraphrase privileged content in emails or other communications
• Considering providing privileged documents in hard copy only and retrieving the copy after use
• Produce as few written materials on sensitive issues as possible
• Avoid mixing matters relating to privileged content with other topics in internal communications

2. Assess the breach

The Privacy Officer will take gather facts and take steps to assess the data breach and determine whether the breach is an ‘eligible data breach’ and is therefore notifiable. If required, seek legal advice.

What is an eligible data breach for the purposes of the Privacy Act?

For an 'eligible data breach' to exist, three criteria must be satisfied:

• unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information;
• the breach is likely to result in serious harm to one or more individuals; and
• prevention of the risk of serious harm through remedial action has not been successful.

The risk of serious harm must be assessed "holistically" taking into account a list of ‘relevant matters’:

• the kind or kinds of information;
• the sensitivity of the information (if the information is sensitive or health information then this increases the likelihood of serious harm occurring);
• whether the information is protected by one or more security measures;
• if the information is protected by one or more security measures – the likelihood that any of those security measures could be overcome;
• the persons, or the kinds of persons, who have obtained, or who could obtain, the information; and
• the nature of the harm (for example, identity theft, financial loss, threats to safety or embarrassment).

How can remedial action prevent the risk of serious harm?

Remedial action to contain and stop a data breach must be undertaken. In some instances, remedial action may result in a data breach being not likely to result in serious harm – such as where information has been retrieved and it has been determined that there is no further threat of exposure or continuing access to that information.

3. Notification to regulators and impacted individuals (if required)

If the incident is an ‘eligible data breach’, then the regulator, the Office of the Australian Information Commissioner and impacted individuals must be notified. Any notifications to regulators and individuals must be approved by the Privacy Officer and Behaviour Help should consider obtaining legal advice prior to submitting or issuing any notifications.

The OAIC has an online submission form that entities are required to complete to notify them of an eligible data breach.

Notifications to individuals must include the following information:

• Notifications to individuals must include the following information:
• a description of the data breach;
• the types of personal information involved; and
• steps individuals should take to protect themselves in response to the eligible data breach.

If the entity cannot notify individuals whose personal information has been impacted, then the entity must publish a copy of the notification on its website and take proactive steps to publicise the notification.

Timing of notifications

If there are reasonable grounds to believe that there has been an eligible data breach then notification must be made promptly.

If it is suspected that there may have been an eligible data breach, an assessment must be undertaken as to whether an eligible data breach has occurred reasonably and expeditiously. If, during the course of an assessment, it becomes clear that there has been an eligible breach, then the notification requirements will need to be promptly complied with.

All reasonable steps to complete the assessment must be taken within 30 calendar days after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach.

4. Review and prevent

The Privacy Officer in conjunction with the IT team must conduct a post-incident review to identify root causes and weaknesses in Behaviour Help’s IT systems or processes. Any findings and recommendations must be reported to executive leadership.

Behaviour Help must implement any recommendations and improvements to prevent re-occurrence of any data breach incident. This may include reviewing and enhancing security controls and updating staff training.

Record-keeping and documentation

The Privacy Officer must maintain a record of all data breaches, regardless of whether notification is required. This record must note the details of the incident and remedial actions taken to rectify the incident.

Regular review

This plan should be reviewed and tested regularly, including through simulated breach exercises, to ensure its effectiveness and compliance with all applicable laws and regulations.

Date the plan was last reviewed: 23 July 2025

Contact

BEHAVIOUR HELP Pty Ltd
5A Hartnett Close, Mulgrave VIC 3170
Email: dolly@behaviourhelp.com