An incident response plan clearly sets out the roles and responsibilities of those involved in the incident response.
Privacy incident roles
While these roles and responsibilities will vary from agency to agency, the following list indicates the high-level responsibilities of various groups involved in an incident response.
This list is a prompt for further thinking and is not exhaustive.
Privacy officer
Planning for a privacy breach
Compile the relevant information required to prepare the incident response plan (for example, data and third party inventories).
Lead the preparation, drafting and adoption of the incident response plan.
Facilitate table-top exercises to test the effectiveness of the incident response plan.
During a privacy breach
Assist with assessing the privacy impact and risks associated with the incident.
Contribute to decisions regarding engagement with key stakeholders, including Office of the Privacy Commissioner, Government Chief Privacy Officer, and affected individuals.
Information security and ICT
Planning for a privacy breach
Provide input into the incident response plan regarding detection, containment and assessment of the incident.
During a privacy breach
Address data breaches and carry out forensic investigations.
Legal
Planning for a privacy breach
Review the incident response plan to ensure it complies with all applicable laws.
During a privacy breach
Assist with any legal issues and queries associated with the incident.
Communications
Planning for a privacy breach
Contribute to the drafting of prepared key messages addressing a range of potential incidents that can be adapted for different stakeholders.
Develop a communications plan that includes how to manage media and public enquiries.
During a privacy breach
Implement the communications plan.
Address media and public enquiries.
Amend and publish prepared key messages for different stakeholders.
Risk and assurance
Planning for a privacy breach
Assist with the development of severity ratings and escalation triggers.
Ensure the incident response plan is consistent with the agency’s risk management approach and strategy.
During a privacy breach
Assist with assessing the privacy impact and risks associated with the incident.
Service delivery/operations
Planning for a privacy breach
Advise about relationship management with customers, clients and others.
Advise about impacts to the agency, customers, clients and others.
During a privacy breach
Ensure the response team has access to the resources required to appropriately manage the response.
Senior leadership team
Planning for a privacy breach
Understand their role and responsibilities in the incident plan.
Review and approve the incident plan.
During a privacy breach
Ensure the response team has access to the resources required to appropriately manage the response.
Publicly comment on the privacy incident when required.