Queensland government agencies have “more work to do” to prepare for a future mandatory data breach reporting scheme, based on a readiness survey by the state’s information commissioner.
The survey [pdf] attracted 107 responses from 221 agencies.
Of those that responded, 52 agencies - a bit less than half - had a “documented data breach response plan”, with some “more comprehensive than others”.
This wasn’t a smoking gun for ill-preparedness, however, the Office of the Information Commissioner (OIC) noted; it could just be that agencies had plans and procedures that were “named differently but covering some or all the elements of a data breach response plan”.
In addition, the OIC said, “a documented response plan is only one element of a broader framework that includes internal controls and strategies to prevent, detect and respond to breaches.”
The absence of a document with the specific title of data breach response plan “does not mean agencies are not managing the risk of data breaches or meeting their obligations to protect personal information,” the OIC added.
But the Office did find variances between response plans, including as to how they get tested; only 27 of the 52 agencies had tested theirs; 10 with a “cyber security exercise”, and 12 with “an actual privacy or data breach”.
Most agencies - 42 of the 52 with a response plan - said they’d established a response team, but only 29 agencies “describe the role of the response team members in their plans and 18 agencies provide current contact details for the members of the response team.”
The OIC said that all government agencies “should be alert” to a future mandatory data breach notification scheme for Queensland.
No scheme currently exists, but the OIC said the idea for a scheme was endorsed by state cabinet mid-last year.
It also asked agencies to consider, in future, publishing information about data breach response plans “to build community confidence and trust in government.”