Effective Date: 01 Jan 2025
Last Updated: 08 Oct 2025
This Data Breach Response Plan outlines the process for identifying, containing, assessing, and managing data breaches involving personal information held by VRISA PTY LTD (“VRISA”, “we”, “our”, “us”).
It applies to all:
Employees, contractors, and consultants of VRISA
SaaS platform operations and associated data stores
IT consulting engagements and client projects
Third-party systems and vendors that process data on our behalf
The objective of this plan is to:
Ensure timely and effective management of data breaches
Reduce harm to affected individuals and to VRISA
Comply with the Notifiable Data Breaches (NDB) Scheme under the Privacy Act 1988 (Cth)
Support transparency and accountability in handling personal data
A data breach occurs when personal information held by VRISA is:
Accessed by an unauthorised party
Disclosed without authorisation
Lost, and it is likely to result in unauthorised access or disclosure
Examples include:
Accidental publication of customer data
Lost or stolen laptops or storage devices containing personal information
Compromised user credentials or accounts
Hacking, ransomware, or unauthorised intrusion into system
Misaddressed emails containing personal data
Inappropriate access by staff or contractors
A breach becomes an eligible data breach if all the following apply:
There has been unauthorised access, disclosure, or loss of personal information;
It is likely to result in serious harm to one or more individuals; and
The organisation has been unable to prevent the likely risk of serious harm through remedial action.
If a breach meets these criteria, VRISA must notify both the affected individuals and the OAIC as soon as practicable.
As soon as a potential data breach is detected:
Isolate affected systems or devices to prevent further data loss.
Disable compromised accounts, credentials, or network access.
Preserve evidence for investigation (logs, system snapshots, emails).
Notify the Privacy Officer and Incident Response Lead immediately.
Responsible roles:
Staff or contractor who identifies the breach (initial escalation)
IT Security / Engineering Team
Privacy Officer / Data Protection Officer
The Privacy Officer leads an assessment within 30 days, as required under the NDB scheme.
The assessment will determine:
What happened — nature, cause, and timing of the incident
What data was involved — personal, financial, or sensitive information
Who is affected — individuals, clients, partners, or third parties
Likelihood of serious harm — financial, reputational, identity theft, psychological, or physical harm
Containment measures taken
A written Data Breach Assessment Report should be completed and filed in the Incident Register.
If the assessment concludes the breach is “eligible” under the NDB scheme:
The Privacy Officer must prepare notifications to:
The Office of the Australian Information Commissioner (OAIC)
Affected individuals, directly or via public statement (if individual contact is impracticable)
If the breach does not meet the “eligible” threshold:
Record the incident and reasons in the Incident Register.
Continue internal monitoring and improvement actions.
a. OAIC Notification
VRISA will lodge an online notification form at: https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=OAIC-NDB
The notification must include:
Description of the breach
Type of personal information involved
Steps taken to contain or mitigate harm
Contact details for further information
b. Individual Notification
Affected individuals must be informed as soon as practicable. The communication should be clear and include:
Description of what happened
What information was involved
Potential risks or impacts
Steps taken by VRISA to mitigate harm
Recommendations for how individuals can protect themselves
Contact information for the VRISA Privacy Officer
Where multiple individuals are affected and direct contact is impracticable, a public notice may be published on the VRISA website or other appropriate channel.
After containment and notification:
Conduct a post-incident review to identify root causes.
Document lessons learned and update relevant policies and controls
Improve staff training, technical safeguards, or contractual measures.
Review third-party or cloud provider security (if applicable).
Ensure remediation activities are completed and verified.
All Staff and Contractors
Immediately report any suspected or confirmed data breach to the Privacy Officer or manager.
Privacy Officer
Lead incident assessment, coordinate response, manage OAIC and individual notifications, maintain records.
IT Security / Engineering Team
Contain and remediate technical breaches, provide forensic evidence and logs, support investigation.
Legal / Compliance Advisor
Advise on privacy law, notification obligations, and risk exposure.
Executive Team / Managing Director
Approve external communications, allocate resources, oversee major incidents.
Communications / Marketing Team
Prepare and deliver public or media notifications if required.
VRISA will maintain a Data Breach Register including:
Date and time of breach detection
Description and category of breac
Assessment findings and risk rating
Containment and notification actions take
Final remediation and review notes
Records will be retained securely for at least 7 years to demonstrate compliance.
All employees and contractors will receive annual privacy and security training, including how to identify and escalate potential breaches.
New hires must complete privacy induction within 30 days of joining.
The Privacy Officer will conduct periodic breach simulation exercises to test readiness.
This Data Breach Response Plan works alongside:
Privacy Policy
Information Security Policy
Incident Response Plan (technical)
Acceptable Use Policy
Records Retention Policy
Privacy Officer
VRISA PTY LTD
Address: Melbourne, VIC
Email: privacy@VRISA.com.au
This plan will be:
Reviewed annually, or
After any major data breach or legislative change,
to ensure ongoing compliance with the Privacy Act 1988 (Cth) and OAIC guidance.
Implementation Checklist
Task - Responsible - Frequency
Maintain Data Breach Register - Privacy Officer - Ongoing
Conduct annual privacy & security training - HR / Privacy Officer - Annually
Review and test response plan - Privacy Officer / IT Security - Annually
Audit cloud and third-party providers - Compliance / IT - Annually
Notify OAIC and affected individuals (if required) - Privacy Officer - As needed
Post-incident review - Privacy Officer / Executive - After every incident