Partner Richard Wells and Senior Associate Suzy McMillan continue to share their top tips for organisations managing and recovering from a data breach. In their last episode, Richard and Suzy covered planning for, assessing, and notifying a data breach.
But the work has only just begun, because after the breach is notified, affected individuals may raise an ‘interference with privacy’ complaint, the most common of which is likely to be [01:14] non-compliance with information privacy principle 5, or IPP5.
[02:05] Suzy shares her tips for managing IPP 5 and other privacy related complaints, what the role of the Privacy Commissioner is in this process, and what happens if a resolution can’t be reached.
[03:50] For serious breaches that have caused significant harm, individuals can take their complaint to the Human Rights Review Tribunal and Richard discusses how now, under the new Privacy Act, individuals can take class actions to the Tribunal too.
As part of the recovery process, Suzy recommends [06:01] assessing your security measures, identifying room for improvement and asking whether those improvements are reasonable and practical in the circumstances. [06:57] This could include undertaking third party security audits through to raising awareness of security risks within the organisation.
[07:25] What information should you make public, and what information should you keep private? Suzy explains how organisations must tread the line between maintaining transparency while not undermining their trust and reputation in the market. [08:58] Storytelling is an effective PR strategy following a data breach, provided the organisation is not exposing itself to further risk.
Please get in touch to receive an episode transcript, and don’t forget to rate, review or follow the Tech Suite wherever you get your podcasts. You can also sign up to receive technology updates via your inbox here.
Read more of our related insights.View all insights