Skip to main content

Data Breach Policy

This article outlines the broker’s responsibilities and required actions when managing data breaches involving personal information under the Notifiable Data Breaches scheme.

Updated over 2 weeks ago

Managing data breaches involving personal information

The Privacy Act 1988 (Cth) requires organisations to take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure. The Notifiable Data Breaches (NDB) scheme introduces mandatory notification requirements when an eligible data breach is likely to result in serious harm.

This article explains your responsibilities as a Connective broker when managing actual or suspected data breaches. It outlines what a Notifiable Incident is, the steps you must take, your obligations when working with Connective, and how to prevent future breaches.

When this policy applies

This policy applies to all Connective brokers who handle personal information while performing Connective Activities.

Personal information includes any client information provided to you in connection with a Connective Activity. A data breach occurs when there is unauthorised access, unauthorised disclosure or loss of this personal information.

Any actual or suspected data breach involving personal information is referred to as a Notifiable Incident.

Important: If you become aware of, or suspect, a Notifiable Incident, you must act immediately to reduce risk to affected individuals and ensure legislative compliance.

What to do if a Notifiable Incident occurs

You must follow these five steps when a Notifiable Incident is suspected or confirmed:

  1. Notify Connective

  2. Take remediation action

  3. Investigate and report

  4. Assist Connective

  5. Implement prevention measures

Notify Connective as soon as possible

Tell your Connective Partnership Manager or Compliance Support Manager (CSM) immediately if you become aware of any incident that may involve unauthorised access, disclosure or loss of personal information.

If unsure, notify Connective as soon as practicable to allow assessment.

If in doubt, email [email protected].

When notifying Connective, provide the following information (if known):

Details of the incident

  • Date the incident occurred

  • Date you detected or suspected the incident

  • Description of what happened

  • Types of personal information affected or potentially affected

  • Whether the information was protected (e.g., encrypted, anonymised)

  • Root cause (if known), such as malicious attack, system fault or human error

Possible impact

  • Estimated number of individuals affected

Actions taken

  • Steps taken to contain the breach

  • Measures to reduce the risk of harm

  • Recommended actions for the broker, Connective or affected individuals

Note: Connective may also be required to notify relevant panel lenders if their customers are impacted.

Take remediation action

Once aware of a data breach or suspected data breach, you must take immediate action to contain it and prevent further harm. This may include:

  • Stopping the unauthorised practice

  • Recovering records or devices

  • Securing systems or access points

  • Preventing additional loss or disclosure

Examples

Example 1: Mis-sent email
A file containing client information is emailed to the wrong recipient. The recipient confirms the file was not accessed and permanently deletes it. A statutory declaration may be requested.

Example 2: Lost mobile device
A device containing client information is lost. IT support remotely wipes the device promptly, ensuring the contents cannot be accessed.

Example 3: Documents left onsite
Client documents are left in a service provider’s meeting room. The provider confirms they did not access the documents and stores them securely until collected.

Investigate and report

After notifying Connective, you must:

  • Appoint an incident manager as your main contact

  • Investigate and assess the incident within three calendar days

  • Work with Connective to contain the breach

  • Assess whether further remediation is required

  • Provide regular updates depending on severity

  • Use the communication channels Connective specifies

The purpose of this assessment is to determine whether serious harm is likely and whether formal notification is required.

Assist Connective with assessment and notification

You must provide reasonable assistance to Connective, including:

  • Supporting Connective’s investigation

  • Following Connective’s directions on risk mitigation and prevention

  • Helping assess whether the breach is likely to result in serious harm

  • Allowing Connective to lead any required notifications to the OAIC or affected individuals

If it is agreed that you are best placed to notify affected individuals, you must consult with Connective and follow their instructions before issuing any notifications.

You must not issue statements or notifications without first discussing them with Connective, except where required by law. Copies of all notifications must be provided to Connective as soon as practicable.

Implement prevention measures

Once the incident is contained, risks are mitigated and any required notifications are issued, you must:

  • Provide Connective with a final report outlining:

    • The root cause of the incident

    • Corrective actions to prevent recurrence

  • Implement a prevention plan agreed with Connective

Examples of prevention activities include:

  • Security audits

  • Updates to internal procedures or policies

  • Staff training

  • Reviewing service providers involved in the incident

How Connective monitors compliance

Connective may conduct periodic reviews to validate broker compliance with data breach obligations. These reviews may include:

  • Screening and self-assessments

  • Requests for documents or data

  • Direct engagement with brokers

  • External validation

  • Ongoing monitoring of material risks

Where to find more information

For guidance on mandatory data breach notification, refer to the OAIC – Notifiable Data Breaches scheme.

www.oaic.gov.au

Definitions

Broker Related Party: Individuals or entities assisting the broker with Connective Activities.
Connective: Connective Credit Services Pty Ltd, Connective Broker Services Pty Ltd, Connective Lender Services Pty Ltd, Connective Group Pty Ltd and subsidiaries.
Connective Activities: Activities performed under the full member agreement.
Connective Partnership Manager: The Partnership Manager responsible for the broker.
Connective CSM: The Compliance Support Manager for the broker.
Notifiable Incident: Any incident involving unauthorised access, disclosure or loss of personal information.
OAIC: Office of the Australian Information Commissioner.
Personal Information: Information about an identified or reasonably identifiable individual, regardless of format. Examples include voice recordings and identifiable images.
Privacy Act: Privacy Act 1988 (Cth).

Appendix A – Data Breach Notification Template

Related Articles
Transferring full or partial data to another Mercury Nexus CRM partner group
Connective Security FAQ
Privacy Statement and Policy
Did this answer your question?