What policies and procedures should organisations have in place?

While notifications may be down, it’s essential that organisations do not let their guard down.

The OAIC highlighted some of the policies and procedures it expects businesses to have in place to meet their obligations under the Privacy Act. This includes:

  • regularly reviewing security measures, controls and identity verification processes intended to minimise the risk of impersonation fraud;
  • having appropriate internal practices, procedures, and systems to undertake a proper assessment of whether a cyber incident has resulted in an eligible data breach; and
  • having appropriate audit and access logs, a routinely tested backup system and an appropriate incident response plan.