Tier 1 Care Pty Ltd

Data Breach Response Plan

1. Purpose

This plan outlines the procedures Tier 1 Care will follow in the event of a suspected or confirmed data breach to:

  • Minimise harm to individuals and the organisation
  • Comply with the Privacy Act 1988 (Cth), Notifiable Data Breaches (NDB) scheme, and NDIS requirements
  • Ensure timely notification to affected individuals and authorities

2. Scope

This plan applies to all personal and health information collected, stored, or processed by Tier 1 Care, including electronic and physical records, and all staff, contractors, and subcontractors handling this information.

3. Definition of a Data Breach

A data breach occurs when personal information is:

  • Accessed, disclosed, or lost without authorisation
  • Compromised due to theft, loss, hacking, or human error
A breach may be eligible for notification under the NDB scheme if it is likely to cause serious harm to individuals.

4. Roles and Responsibilities

Data Breach Response Officer:

  • Typically the NDIS provider manager or designated senior staff
  • Coordinates investigation, containment, and notifications
All Staff:
  • Immediately report any suspected or confirmed data breach to the Response Officer
  • Preserve evidence and do not attempt to resolve the breach alone

5. Data Breach Response Steps

Step 1: Containment and Initial Assessment

  • Identify and contain the breach immediately (e.g., secure systems, restrict access, recover lost documents).
  • Document date, time, type of data, affected individuals, and breach source.
  • Assess whether the breach is eligible for notification under the NDB scheme (i.e., likely to result in serious harm).
Step 2: Investigation
  • Investigate the cause and scope of the breach.
  • Determine the type and sensitivity of information involved.
  • Record all findings and steps taken in a secure incident log.
Step 3: Risk Assessment
  • Evaluate the likelihood of serious harm to affected individuals:
  • Consider the sensitivity of information (health, NDIS, financial details)
  • Consider the potential for misuse or identity theft
  • Determine urgency and communication requirements
Step 4: Notification
  • If the breach is likely to result in serious harm:
  • Notify affected individuals promptly, including what information was involved, potential consequences, and actions they can take.
  • Notify the Office of the Australian Information Commissioner (OAIC) via NDB reporting.
  • Keep records of all notifications.
  • If the breach is not likely to result in serious harm, document the incident and actions taken.
Step 5: Review and Remediation
  • Review policies, procedures, and technical controls to prevent recurrence.
  • Update staff training if human error contributed.
  • Amend security measures or processes as needed.
  • Conduct a post-incident review and record lessons learned.

6. Documentation

All data breaches, regardless of severity, must be recorded in the Data Breach Log, including:

  • Date and time of the incident
  • Description of breach
  • Information affected
  • Actions taken to contain and remediate
  • Notifications sent
  • Follow-up measures implemented

7. Staff Training

  • All staff will be trained on identifying, reporting, and responding to data breaches.
  • Refresher training will occur annually or whenever major systems or policies change.

8. Communication

Internal communication: Only authorised personnel communicate details of the breach internally. External communication: Only the Data Breach Response Officer or delegated person communicates with affected individuals, OAIC, or media.

9. Review of the Plan

This plan will be reviewed annually, or after a data breach, to ensure compliance and effectiveness.

Contact for Data Breach Response

Email: wecare@tier1care.com.auPhone: 1300 404 294Postal: PO Box 0886, Ingleburn NSW 1980

Tier 1 Care Pty Ltd 1300 404 294

© 2025 Tier 1 Care Pty Ltd

Website Designed & Developed by Newline Creative Solutions