How to run an internal privacy investigation

If you suspect a data or privacy breach, you need to act quickly to stem that damage and respond to affected parties.

Many organisations also grapple with the question of whether they need to report any privacy or data breach to the regulator.

Based on our work with clients who have suffered a suspected privacy breach and conducted internal investigations, here are our top 10 tips to guarantee that you’re ticking all the right boxes:

  1. Act diligently and promptly

    Firstly, consult your Data Breach Response Plan.  Step 1 should be containing any immediate damage by, for example, removing information from websites, recalling any emails or gathering up any papers containing personal information.
     
  2. Follow your policies and procedures

    This is important! Many investigators inadvertently breach privacy in seeking to investigate a privacy breach.  Ensure that you understand the purpose of the investigation, who will receive the report, who is permitted to know about the suspected breach and who is on your Data Breach response team.

    If you have a privacy policy and/or investigation policy, you should follow its process. This will help to avoid any complaints of mismanagement or lack of procedural fairness.  You have 30 days to investigate, so, assuming you have acted to ensure no ongoing breaches, then an investigation plan comes next.
     
  3. Create a plan of action

    This includes considering:

    – What are the allegations?
    – Should anyone else be informed about the complaint?
    – Should any information be redacted when handling the complaint?
    – Are there any witnesses into the alleged behaviour?
    – Who should be interviewed?
     
  4. Evidence gathering

    All supporting documentation should be gathered, analysed and assessed. Remember to keep copies of websites or emails that you may have destroyed/deleted/removed in the immediate containment of the breach.

    Be sure to detail the type of evidence collected for each allegation including any response to contradictory evidence.

    You should also assess the relevance and reliability of the evidence.
     
  5. Confidentiality

    Consider:

    a) Do you need to redact any personal or sensitive information from the investigation report depending on who will be reading it?
    b) What are you going to tell witnesses and parties to the complaint to ensure that confidentiality is maintained?
     
  6. Procedural fairness

    To ensure procedural fairness and transparency, we recommend that any substantive information provided by a party to a complaint will be provided to the other party to facilitate the handling of the complaint. This includes information such as the complaint and the respondent’s response.

    You should provide each party has the opportunity to be heard and to respond to the allegations. This may be less important if there are no allegations against staff, and you are merely making factual findings for the purpose of privacy reporting.Knowing the scope of the investigation is important here and will impact the statements to witnesses, the type of questions and the emphasis on procedural fairness.
     
  7. Impartiality

    The person in charge of the investigation and the ultimate decision maker should be unbiased and have no direct involvement in the alleged incident.

    The more serious the allegations (and the possible consequences), the more important it is have the investigation conducted by an independent person who has no relationship with either party.

    If the complaint is serious and impartiality is not possible, consider whether you need to seek external assistance.
     
  8. Has there been a data breach?

    A data breach occurs when personal or sensitive information is accessed or disclosed without authorisation (or is lost).

    Under the Notifiable Data Breach Scheme, you must notify the Officer of the Australian Information Commissioner if the data breach is likely to cause serious harm.   You’ll need to consider whether a data breach has the potential to harm an individual whose personal or sensitive information has been affected.  Not every breach causes harm, and many organisations assume the mere fact of a breach is harmful. 

    If you make a finding that it is notifiable, you’ll need to refer to the evidence you have relied on in making that finding.

    It will be open to you in many instances to make a finding that the breach would have been reportable, except that it was contained in the early stages of the breach response or investigation.

    Note that the Office of the Australian Commissioner notes that some “overreporting” occurs.  There are a couple of traps here. 

    Be sure that you:

    – Do not report a privacy breach unless it’s notifiable; and
    – Do not report any breaches which do not actually involve personal information.
     
  9. Balance of probabilities

    Findings should be made only on the balance of probabilities. That is, that any decision made is based on clear, convincing and strict evidence.
     
  10. What is the outcome?

    Consider what you have learnt from this process and what next steps are. For example:

    – a change in practice, procedure or policy;
    – staff training; or
    – review of privacy policies or procedures.

How can we help you?

Our privacy team here at Moores can assist by providing guidance and advice on the likely implications of a data breach, reviewing policies and procedures and providing your organisation with privacy training. We want to ensure that you feel empowered to run an effective and useful privacy investigation internally, keeping any potential risk and liability minimised. For advice or guidance, please do not hesitate to contact us.

Privacy Training

When was the last time your staff did privacy training? Moores privacy training is informative, engaging and entertaining and regularly receives excellent participant feedback and learning outcomes.

Simulated Data Breach Workshop – Expressions of interest

We’re also taking Expressions of Interest for our Simulated Data Breach Workshop. If you’ve wanted to test your own policies, systems and responses against a breach, but without the risk, this session is for you. Aimed at privacy officers, this Workshop takes participants through a simulated data breach, from containment, through investigation, to writing a press release.

Authors