Data Breach Response Policy¶
| Code | PRI-002 |
| Domain | Privacy & Data Rights |
| Owner | Privacy Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD01 |
| Review date | 2027-03-25 |
Regulations: Privacy Act 2020 · Privacy Act 1988¶
Purpose¶
Govern the platform's obligations for notifiable privacy breaches, including detection, assessment, notification to regulators and affected individuals, and remediation.
Scope¶
All privacy breaches involving personal information held by the platform or its processors in NZ and AU that meet or may meet the notification threshold.
Policy statements¶
The platform SHALL maintain a privacy breach response procedure that defines detection, assessment, notification, and remediation steps for privacy breaches.
A privacy breach SHALL be assessed for notification obligation within 72 hours of detection. In NZ, the platform SHALL notify the Privacy Commissioner if the breach is likely to cause serious harm to any affected individual. In AU, the platform SHALL notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if the breach is an eligible data breach under the Notifiable Data Breaches scheme.
Where notification to affected individuals is required, the notification SHALL be made as soon as practicable and SHALL include: the nature of the breach, the information involved, the steps taken to contain the breach, and the steps individuals can take to protect themselves.
The Privacy Officer SHALL maintain oversight of all privacy breach assessments. Assessments of medium or higher potential harm SHALL require Privacy Officer sign-off before a decision not to notify is made.
All privacy breaches, whether notifiable or not, SHALL be recorded in the breach register. The register SHALL include: date of detection, nature of breach, information affected, assessment outcome, notifications made, and remediation actions.
The platform SHALL take prompt action to contain and remediate each privacy breach. Remediation actions SHALL be tracked to closure.
The breach register SHALL be reviewed by the Privacy Officer quarterly and reported to the BRC annually.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-150 | Risk management platform | AUTO |
Security anomalies (CloudTrail access failures, Cognito brute-force patterns, Secrets Manager anomalies) are auto-classified as potential breaches and the notification timer starts automatically. |
Part of Privacy & Data Rights · Governance overview
Compiled 2026-05-22 from source/entities/policies/PRI-002.yaml