Data Breach Policy - May 2020

Co-Hab Tonsley Limited (ACN 602 663 829) and its associated entities is committed to protecting the Personal Information  we collect.  
This policy is a component of, and supports, our Privacy Policy.  We are required to protect Personal Information (as Defined in the Privacy Act 1988)  we collect from loss, unauthorised access and unauthorised disclosure (Data Breach).

1.SECURITY OF DATA
1.1We are obliged under the Australian Privacy Principles (APPs) to take such steps as are reasonable to protect personal information:
1.1.1from misuse, interference and loss;
1.1.2from unauthorised access, modification or disclosure.
1.2We are also obliged to ensure the security of credit eligibility information (as defined in the Privacy Act 1988)
1.3All staff members must adhere to the data security requirements and procedures for client information as outlined in the Privacy Policy, this Data Breach Policy, the Data Breach Response Plan and the Data Breach Report Form.
1.4A failure to provide adequate security may lead to an interference with the privacy of an individual.

2.DATA BREACH STEPS
Should we suspect or believe that a data breach has occurred we will undertake the following five steps:
2.1Identify;
2.2Contain;
2.3Assess;
2.4Notify; and
2.5Review.

3.STEP 1: IDENTIFY
3.1We will maintain systems and procedures to ensure that any suspected or actual data breach can be identified, reported and escalated to management responsible for the implementation of the Data Breach Response Plan.  
3.2Any staff member of Co-Hab who suspects a data breach has occurred must ensure that a Data Breach Report Form is completed and sent promptly to the Privacy Officer.
3.3The Privacy Officer is the person nominated by Co-Hab, as changed from time to time, and whose details appear below:
Privacy Officer
Co-Hab Tonsley Limited ACN 602 663 829
Level 1, Mitsubishi Building,
1284 South Road
CLOVELLY PARK  SA  5042
Contact: +61 448 053 024; Email: administration@co-hab.com.au

4.STEP 2: CONTAIN
4.1Once a data breach has been identified, we will take all reasonable steps that can be taken to contain that breach.
4.2We make a preliminary assessment of any remedial action we should take and provide that assessment to all relevant staff members within 24 hours
4.3Remedial action is anything we can reasonably do to stop the breach, prevent further similar breaches or prevent harm occurring, to the individual whose data has been accessed or lost.
4.4Examples of remedial action include:
4.4.1retrieving the personal data;
4.4.2shutting down our system;
4.4.3finding the lost device or file.

5.STEP 3: ASSESS
5.1The Data Breach Response Plan and the Data Breach Report Form provide for the proper assessment of the breach including:
5.1.1the type of information involved;
5.1.2whether the breach can be remedied and the information recovered;
5.1.3the identity and number of individuals affected or likely to be affected;
5.1.4the possible financial, economic, social and emotional impact on any individual;
5.1.5the nature of the breach (i.e. was it loss, access or disclosure of electronic or paper-based data and was it accidental or deliberate);
5.1.6the perpetrator of the breach (i.e. internal staff, contractors, third parties whether local or overseas);
5.1.7the risk of further breaches if remedial action not taken (i.e. is systemic problem or one-off);
5.1.8whether criminality evident (i.e. theft or hacking); and
5.1.9whether the information was encrypted, de-identified or difficult to access.

6.STEP 4: NOTIFICATION
6.1If we believe (not just suspect) on reasonable grounds that a data breach is likely to result in serious harm to any of the individuals concerned, we will:
6.1.1prepare the statement required by the Privacy Act 1988 (Cth) including the following information:
(a)our identity and contact details;
(b)a description of the breach we believe has occurred;
(c)the kind of information involved in the breach;
(d)recommendation about the steps the individuals should take in response; and
(e)if the data breach was caused by a third party service provider we engage, we will include their name and contact details.
6.1.2provide a copy of the statement to the Office of the Australian Information Commissioner;
6.1.3provide a copy of the statement to each affected individual affected by means determined, to communicate effectively and include additional information such as:
(a)our response to contain the data breach and prevent its recurrence;
(b)any assistance we can offer to the individual(s);
(c)that we have reported the breach to the Office of the Australian Information Commissioner and, if relevant, any law enforcement agency/ies;
(d)how individual(s) can make a complaint to the Office of the Australian Information Commissioner.

7.STEP 5: REVIEW
To prevent future breaches of the same kind, the Data Breach Response Plan must include a requirement for us to conduct a review of our policies, systems and procedures, which may include the following:
7.1a post-investigation audit of physical and technical security controls;
7.2a review of policies and procedures;
7.3additional training of staff members including scenario practices;
7.4identify external resources that may assist in to prevent future breaches, i.e. auditing firms, public relations firms, legal advisers;
7.5review authority levels for access to and transfer of electronic data;
7.6whether the Data Breach Response Plan was adequate.