Data Breach Response Plan Template for Australian Businesses

Every Australian business that handles personal information needs a data breach response plan — here's a practical template you can implement today

Under Australia's Notifiable Data Breaches (NDB) scheme, organisations covered by the Privacy Act 1988 must notify the OAIC and affected individuals when an eligible data breach occurs. A data breach response plan ensures you can meet the 30-day assessment deadline and the mandatory notification requirements without scrambling during a crisis.

What triggers the NDB scheme

You must assess and potentially notify when:

• There is unauthorised access to, or disclosure of, personal information
• The breach is likely to result in serious harm to affected individuals
• You have not been able to prevent the likely risk of serious harm through remedial action

"Serious harm" includes identity theft, financial loss, damage to reputation, physical harm, or emotional distress. If you're unsure whether a breach qualifies, the OAIC advises to treat it as notifiable and conduct a formal assessment.

The response plan template

Section 1 — Response team

Define who is responsible for each role during a breach:

• Breach coordinator — leads the response, makes decisions, coordinates communication. Usually the business owner or operations manager in an SMB
• IT/Technical lead — investigates the technical aspects, contains the breach, preserves evidence. Internal IT or external IT provider
• Legal/Compliance — advises on NDB obligations, Privacy Act requirements, and regulatory notifications. External lawyer if no in-house counsel
• Communications — handles notifications to affected individuals, staff, and media if required

For each role, document: name, phone number, email, and backup contact.

Section 2 — Detection and reporting

How breaches are identified and escalated internally:

• All staff must report suspected breaches to the breach coordinator within 1 hour of discovery
• Report triggers include: unauthorised access alerts, missing devices, suspicious emails, customer complaints about data misuse, unusual system behaviour
• All reports logged in a breach register with: date/time, who reported, what was observed, initial assessment

Section 3 — Containment

Immediate actions to limit damage:

1. Isolate affected systems from the network
2. Disable compromised user accounts
3. Change relevant passwords and access credentials
4. Preserve evidence — do not delete logs, emails, or files related to the breach
5. If physical records are involved, secure the area

Section 4 — Assessment (30-day deadline starts)

Conduct a formal assessment answering:

1. What personal information was involved? — names, emails, financial data, health records, identification numbers
2. How many individuals are affected?
3. How did the breach occur? — cyber attack, human error, system failure, theft
4. Is the breach likely to result in serious harm? — consider the type of data, who accessed it, and what they could do with it
5. Can remedial action prevent the risk of serious harm? — e.g., forcing password resets, revoking access, recovering stolen devices

If serious harm is likely and cannot be prevented: the breach is notifiable.

Section 5 — Notification (if breach is notifiable)

Notify the OAIC

Submit a notification via the OAIC's online notification form. Include:

• Your organisation's name and contact details
• Description of the breach
• The kind of information involved
• Recommendations for affected individuals

Notify affected individuals

Contact affected individuals directly (email is acceptable). Include:

• What happened — in plain language
• What information was involved
• What you're doing about it
• What they should do — change passwords, monitor accounts, enable MFA
• Where to get more information — your contact details and OAIC contact

Section 6 — Post-breach review

• Conduct root cause analysis within 14 days of resolution
• Identify and implement improvements to prevent recurrence
• Update this response plan based on lessons learned
• Brief all staff on changes
• Schedule follow-up review in 90 days

Testing the plan

A plan that hasn't been tested is a document, not a capability. Test your response plan:

• Tabletop exercise — walk through a hypothetical breach scenario with your response team. Takes 2 hours, reveals gaps immediately
• Contact verification — confirm all phone numbers and emails in the plan are current (quarterly)
• Backup restoration test — verify you can actually restore from backups (quarterly)
• Full simulation — run a realistic breach scenario end-to-end (annually)

Penalties for non-compliance

Failing to notify under the NDB scheme carries significant penalties:

• Individuals — up to $2.22 million per contravention
• Corporations — up to $50 million, or three times the benefit obtained, or 30% of adjusted turnover (whichever is greatest)