Effective Date: 7 April 2025
Next Review Date: 7 April 2026
Policy Owner: Luke McFarland

Effective Date: 7 April 2025
Next Review Date: 7 April 2026
Policy Owner: Luke McFarland

---

1. Purpose

This Data Breach Response Plan outlines the processes Luke McFarland Consulting ("we", "us", "our") will follow in the event of a data breach. It supports our Data Protection Policy and ensures compliance with:

• Australian Privacy Act 1988 (Cth) and Notifiable Data Breaches (NDB) scheme

• European Union General Data Protection Regulation (GDPR)

2. Definition of a Data Breach

A data breach occurs when personal information held by us is:

• Lost

• Subject to unauthorised access, disclosure, alteration, or destruction

Examples include:

• Hacking, malware attacks, or ransomware incidents

• Lost or stolen devices containing personal information

• Mistaken disclosure of personal information to the wrong person

3. Breach Response Team

• Data Protection Officer: Luke McFarland (Primary Contact)

• Technical Support Team: ICT Security Consultants (as needed)

• External Legal Counsel: Engaged as necessary for advice and reporting compliance

4. Breach Response Steps

Step 1: Identification and Containment

• Immediately contain the breach to prevent further access, disclosure, or damage.

• Assess if the breach is ongoing and stop unauthorised access.

Step 2: Assessment

• Assess the breach to determine:

  • What personal information was involved

  • The cause and extent of the breach

  • The individuals or organisations affected

  • The risk of harm to affected individuals

Step 3: Notification

• If eligible under the NDB scheme or GDPR:

  • Notify the Office of the Australian Information Commissioner (OAIC) and/or relevant EU authority.

  • Notify affected individuals, including:

    • A description of the breach

    • The types of information involved

    • Recommended steps individuals should take

    • Our contact details

Notification must occur within 72 hours of becoming aware of a GDPR breach and as soon as practicable for Australian obligations.

Step 4: Remediation

• Take action to prevent the breach from recurring, such as:

  • Strengthening security controls

  • Providing staff training

  • Reviewing and updating policies and procedures

Step 5: Documentation

• Record the details of the breach, the assessment, actions taken, and decisions made.

• Maintain a breach incident log for compliance and auditing purposes.

5. Communication Plan

• Use clear, simple language for all communications to affected individuals.

• Prepare public statements if the breach has the potential for widespread concern or media attention.

• Communications must be reviewed by the Data Protection Officer and Legal Counsel before release.

6. Training and Testing

• All staff must complete data breach response training annually.

• This Plan must be tested annually through a simulated breach exercise.

7. Review

This Data Breach Response Plan must be reviewed annually or after a significant breach to ensure its effectiveness.

---

Contact Details for Reporting a Suspected Data Breach:
Luke McFarland Consulting
Email: enquiries@lamcadvisory.com
Phone: +61 405 667 645