BEHAVIOUR HELP – DATA BREACH RESPONSE PLAN - UNITED KINGDOM

1. Purpose

This plan outlines Behaviour Help’s procedures for identifying, containing, assessing, and responding to data breaches involving personal information in accordance with the Australian Privacy Act 1988 (Cth) (the Privacy Act), the EU GDPR, and the UK GDPR.

The EU and the UK GDPR require the Behaviour Help to report ‘notifiable breaches’ without undue delay and, where feasible, not later than 72 hours after having become aware of it. Notification of a breach is required unless it is unlikely to result in a risk to the rights and freedoms of individuals. In the event that a report is not made within 72 hours, Behaviour Help is required to provide the reasons for the delay in reporting it to the relevant data protection authority.

If the personal data breach relates to personal data that is processed on behalf of a Data Controller, such as Behavior Help App’s customers, Behavior Help must notify the Data Controller without undue delay.

2. What is a data breach?

A personal data breach can be defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

A data security breach covers more than the simple misappropriation of data and may occur through incidents, such as:

  • Loss or theft of data or equipment;
  • People gaining inappropriate access to personal data;
  • A deliberate attack on systems;
  • Equipment failure;
  • Human error;
  • Acts of God (for example, fire or flood);
  • Malicious acts such as hacking, viruses, or deception.

Breaches can be categorised according to the following three well-known information security principles:

  • Confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, personal data;
  • Integrity breach – where there is an unauthorised or accidental alteration of personal data;
  • Availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, personal data.

A security incident resulting in personal data being made unavailable for a temporary period is also a type of breach, as the lack of access to the data could have a significant impact on the rights and freedoms of data subjects.

3. Data breach response steps

If you suspect that a data breach has occurred, you must immediately escalate the matter to Behaviour Help’s Privacy Officer. Any significant incidents must be escalated to executive management, and a response team must be convened.

If you suspect a data breach, you must notify the Privacy Officer immediately via the following email: dolly@behaviourhelp.com

Where possible, the Breach Incident Form in Annex 1 must be completed with as much information as possible and emailed to the Privacy Officer.

Step 1: Identify and contain the breach

Once a breach or suspected breach has been reported to the Privacy Officer, the Privacy Officer must commence an investigation and assess whether he/she has sufficient information to identify next steps.

Behaviour Help must take steps to end the data breach and prevent any further unauthorized access, loss, or disclosure of information. The Privacy Officer will coordinate with IT to ensure that any affected systems or networks are isolated and the IT environment is secured.

The IT team must ensure that any evidence and network logs are preserved for investigation purposes and should document all actions taken to contain the breach.

Step 2: Take steps to maintain privilege over communications

  • Label documents and communications “Confidential and privileged – prepared for the purpose of legal advice”
  • Restrict the sharing of privileged documents and communications
  • Do not paraphrase privileged content in emails or other communications
  • Consider providing privileged documents in hard copy only and retrieving the copy after use
  • Produce as few written materials on sensitive issues as possible
  • Avoid mixing matters relating to privileged content with other topics in internal communications

Step 3: Assess the breach

The Privacy Officer will gather facts and take steps to assess the data breach and determine whether the breach is an ‘eligible data breach’ and is therefore notifiable. If required, seek legal advice.

If the breach or suspected breach has occurred at one of our Data Processors, the DPO must liaise with the Data Processor to obtain as much information as possible about the extent of the breach or suspected breach and any steps being taken to mitigate any risk to data subjects.

What is an eligible data breach?

A data breach will be considered "eligible" when all of the following conditions are met:

  • There has been unauthorised access to, unauthorised disclosure of, or loss of personal information;
  • The breach is likely to result in harm to an individual’s rights or freedoms;
  • Reasonable steps taken to mitigate the risk of serious harm have not been effective.

Criteria for evaluation

When evaluating the potential for harm, a comprehensive assessment should be undertaken, considering factors such as:

  • The nature and categories of information involved;
  • The sensitivity of the information—particularly sensitive or health-related data;
  • Specific vulnerabilities or circumstances of the individuals affected;
  • The presence and strength of security measures protecting the information;
  • The probability those security measures could be bypassed;
  • The identity or type of individuals who have accessed or may access the data;
  • The possible consequences such as identity theft, financial loss, personal safety risks, or reputational damage.

Remedial action

Remedial action to contain and stop a data breach must be undertaken. In some instances, remedial action may result in a breach that is not likely to result in serious harm, such as where information has been retrieved and it has been determined there is no further threat of exposure or continuing access.

Step 4: Notification to regulators and impacted individuals (if required)

If the incident is an ‘eligible data breach’, then the Privacy Officer must determine if the relevant data protection authority or the impacted individuals must be notified, taking into account applicable laws.

Any notifications to regulators and individuals must be approved by the Privacy Officer, and Behaviour Help should consider obtaining legal advice prior to submitting or issuing any notifications.

Notifications to regulators must include:

  • A description of the nature of the personal data breach,
  • The categories of and approximate number of data subjects affected,
  • The categories and approximate number of personal data records concerned,
  • The name and contact details of our ‘Responsible Person’,
  • A description of the likely consequences of the breach,
  • A description of the measures taken to address the breach.

Notifications to individuals must include:

  • The identity and contact details of the entity;
  • The identity and contact details of the privacy officer;
  • A description of the data breach;
  • The types of personal information involved;
  • Steps individuals should take to protect themselves.

If the entity cannot notify individuals directly, it must publish a copy of the notification on its website and take proactive steps to publicise it.

Step 5: Timing of notifications

If there are reasonable grounds to believe that there has been an eligible data breach, notification must be made promptly.

Assessments must be completed expeditiously and within 30 calendar days of becoming aware of the grounds for suspicion. If during assessment it becomes clear an eligible breach has occurred, notification requirements must be promptly complied with.

Step 6: Review and prevent

The Privacy Officer, in conjunction with IT, must conduct a post-incident review to identify root causes and weaknesses. Findings must be reported to executive leadership. Improvements to security and training must be implemented.

Step 7: Record-keeping and documentation

The Privacy Officer must maintain a record of all breaches, whether or not notification was required. Records must include incident details and remedial actions taken.

Step 8: Regular review

This plan should be reviewed and tested regularly, including through simulated breach exercises.

Date last reviewed: 02/09/2025

Contact

BEHAVIOUR HELP Pty Ltd
5A Hartnett Close, Mulgrave VIC 3170
Email: dolly@behaviourhelp.com

Annex I: Breach Incident Report Form

Company Name – HIGHLY CONFIDENTIAL

Form for reporting a suspected information security incident

Your Name: ___________________
PC Name: (e.g. XX######)
Dept/Division: ___________________

Today’s Date: ___________________
Tel No: ___________________
E-mail Address: ___________________

Date of Incident: ___________________
Time of Incident: ___________________
Who Was Notified: ___________________
Time of Notification: ___________________

Brief Description of Incident:

Did you witness the incident yourself? Y / N

Did others witness the incident? (if yes, specify)

To your knowledge was any of the following involved?

  • Telephone
  • Theft
  • Fax
  • Fraud
  • Photocopier
  • Unauthorised Access
  • Computer Hardware
  • Customers
  • Email
  • Third Parties
  • Internet download
  • Copyright
  • Virus
  • Other (specify)

Was any COMPANY Internal or Confidential information compromised? Y / N

Did you report this incident to: (circle all applicable)

Supervisor – Law Enforcement – Director of IT – Internal Auditor – Other (Specify)