BEHAVIOUR HELP – DATA BREACH RESPONSE PLAN - UNITED KINGDOM

Last reviewed: 12th September 2025

1. Purpose

This plan outlines Behaviour Help’s procedures for identifying, containing, assessing, and responding to data breaches involving personal information in accordance with the Australian Privacy Act 1988 (Cth) (the Privacy Act), the EU GDPR, and the UK GDPR.

The EU and the UK GDPR require Behaviour Help to report ‘notifiable breaches’ without undue delay and, where feasible, not later than 72 hours after having become aware of it. Notification of a breach is required unless it is unlikely to result in a risk to the rights and freedoms of individuals. In the event that a report is not made within 72 hours, Behaviour Help is required to provide the reasons for the delay in reporting it to the relevant data protection authority.

If the personal data breach relates to personal data that is processed on behalf of a Data Controller, such as Behaviour Help App’s customers, Behaviour Help must notify the Data Controller without undue delay.

2. What is a data breach?

A personal data breach can be defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Examples of data breaches

  • Loss or theft of data or equipment;
  • People gaining inappropriate access to personal data;
  • A deliberate attack on systems;
  • Equipment failure;
  • Human error;
  • Acts of God (for example, fire or flood);
  • Malicious acts such as hacking, viruses, or deception.

Categories of breaches

  • Confidentiality breach – unauthorised or accidental disclosure of, or access to, personal data.
  • Integrity breach – unauthorised or accidental alteration of personal data.
  • Availability breach – accidental or unauthorised loss of access to, or destruction of, personal data.

A security incident resulting in personal data being made unavailable for a temporary period is also a type of breach, as the lack of access to the data could have a significant impact on the rights and freedoms of data subjects.

3. Data breach response steps

If you suspect that a data breach has occurred, you must immediately escalate the matter to Behaviour Help’s Privacy Officer. Any significant incidents must be escalated to executive management, and a response team must be convened.

If you suspect a data breach, you must notify the Privacy Officer immediately via email: dolly@behaviourhelp.com

Where possible, the Breach Incident Form in Annex I must be completed with as much information as possible and emailed to the Privacy Officer.

Step 1: Identify and contain the breach

The Privacy Officer must commence an investigation to assess whether sufficient information exists to identify next steps. Behaviour Help must take immediate steps to end the data breach and prevent further unauthorized access, loss, or disclosure of information. The Privacy Officer will coordinate with IT to secure affected systems and preserve evidence.

Step 2: Maintain privilege over communications

  • Label documents and communications “Confidential and privileged – prepared for the purpose of legal advice”.
  • Restrict sharing of privileged documents.
  • Do not paraphrase privileged content in emails or other communications.
  • Where appropriate, provide privileged documents in hard copy only and retrieve copies after use.
  • Produce as few written materials on sensitive issues as possible.

Step 3: Assess the breach

The Privacy Officer will gather facts and assess the breach to determine whether it is an ‘eligible data breach’. If required, legal advice must be sought. If the breach involves a Data Processor, the DPO must liaise with them for details.

Criteria for an Eligible Data Breach

  • There has been unauthorised access to, unauthorised disclosure of, or loss of personal information;
  • The breach is likely to result in harm to an individual’s rights or freedoms;
  • Reasonable steps taken to mitigate the risk of serious harm have not been effective.

Factors to consider

  • The nature and categories of information involved;
  • The sensitivity of the information (particularly sensitive or health-related data);
  • Vulnerabilities or circumstances of the individuals affected;
  • The strength of existing security measures;
  • The likelihood of bypassing those measures;
  • The identity/type of individuals who accessed the data;
  • The possible consequences (identity theft, financial loss, safety risks, reputational damage).

Step 4: Notification to regulators and impacted individuals (if required)

If the incident is an eligible data breach, the Privacy Officer must determine whether notification is required. Notifications must be approved by the Privacy Officer, and legal advice should be considered.

Regulator notifications must include:

  • Description of the nature of the breach;
  • Categories and approximate number of data subjects affected;
  • Categories and approximate number of records concerned;
  • Name and contact details of the Responsible Person;
  • Likely consequences of the breach;
  • Measures taken to address the breach.

Individual notifications must include:

  • Identity and contact details of the entity;
  • Identity and contact details of the Privacy Officer;
  • Description of the data breach;
  • Types of personal information involved;
  • Steps individuals should take to protect themselves.

If individuals cannot be notified directly, the entity must publish the notification on its website and take steps to publicise it.

Step 5: Timing of notifications

Notifications must be made promptly where there are reasonable grounds to believe an eligible data breach has occurred. Assessments must be completed within 30 calendar days of awareness.

Step 6: Review and prevent

The Privacy Officer, with IT, must conduct a post-incident review to identify root causes and make recommendations. Improvements must be implemented, including enhancing security and updating staff training.

Step 7: Record-keeping

The Privacy Officer must maintain a record of all data breaches, regardless of whether notification was required. The record must include incident details and remedial actions taken.

Step 8: Regular review

This plan should be reviewed and tested regularly, including through simulated breach exercises, to ensure its effectiveness and compliance with all applicable laws and regulations.

Contact

BEHAVIOUR HELP Pty Ltd
5A Hartnett Close, Mulgrave VIC 3170
Email: dolly@behaviourhelp.com

Annex I: Breach Incident Report Form

Company Name: HIGHLY CONFIDENTIAL

Form for Reporting a Suspected Information Security Incident

Your Name:
PC Name: (e.g. XX######)
Dept/Division:
Today’s Date:
Tel No:
Email Address:

Date of Incident:
Time of Incident:
Who Was Notified:
Time of Notification:

Brief Description of Incident: (include website URLs, suspect name(s), impacted system(s), other relevant data...)

Did you witness the incident yourself? Y / N

Did others witness the incident? (if yes, specify below)

Involvement checklist

  • Telephone
  • Theft
  • Fax
  • Fraud
  • Photocopier
  • Unauthorised Access
  • Computer Hardware
  • Customers
  • Email
  • Third Parties
  • Internet download
  • Copyright
  • Virus
  • Other (specify below)

Was any COMPANY internal or confidential information compromised? Y / N

Reported to: (circle all applicable)
Supervisor – Law Enforcement – Director of IT – Internal Auditor – Other (Specify)