Skip to content
Communicat IT
Legal

Data Breach Policy

Aligned to the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth)

01

Introduction and Commitment

Communicat IT places the highest importance on protecting the confidentiality of information entrusted to us by our clients. As a Managed Service Provider, we hold and process personal information both as a principal (our own client contact details) and on behalf of our clients (through managed services, hosting, backups, and email management).

This policy outlines how we detect, respond to, and report data breaches in compliance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

This policy applies to all Communicat IT staff, contractors, and third-party suppliers who handle personal information on our behalf.

02

What Is a Data Breach

A data breach occurs when personal information held by an organisation is accessed, disclosed, or lost without authorisation. In the context of an MSP, this may include:

  • Unauthorised access to client systems or data
  • Accidental disclosure of personal information (e.g. misdirected email)
  • Loss of devices containing personal information
  • Ransomware or cyber attack compromising data
  • Misconfigured cloud services exposing data
  • Insider threats or unauthorised staff access
  • A breach at a third-party vendor or sub-processor
03

What Is an Eligible Data Breach

Under section 26WE of the Privacy Act 1988, an eligible data breach occurs when all three of the following conditions are met:

  1. a.There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by the entity
  2. b.The breach is likely to result in serious harm to any of the affected individuals
  3. c.The entity has not been able to prevent the likely risk of serious harm through remedial action

Factors in assessing serious harm (s 26WG)

  • The kind(s) and sensitivity of the personal information involved
  • Whether the information is protected by security measures such as encryption
  • The person(s) who have obtained or could obtain the information
  • The nature of the harm that could result (financial, reputational, physical)
  • Whether the information could be used for identity fraud or financial crime
04

Our Response Process

Our data breach response follows the OAIC's four-step model. If a breach is suspected, we are required under section 26WH to conduct a reasonable and expeditious assessment, which must be completed within 30 calendar days of becoming aware of the grounds for suspicion.

01

Contain

Take immediate steps to limit the breach and prevent further unauthorised access or disclosure.

  • Isolate or shut down affected systems
  • Revoke or change compromised credentials
  • Recover personal information where possible
  • Preserve evidence for investigation
02

Assess

Evaluate the breach to determine its scope, the type of information involved, and whether it is likely to result in serious harm.

  • Identify what personal information was involved
  • Determine how the breach occurred
  • Assess who may have gained unauthorised access
  • Evaluate the risk of serious harm to affected individuals
  • Determine whether the breach is an eligible data breach under the NDB scheme
03

Notify

If the breach is an eligible data breach, notify the OAIC and affected individuals as soon as practicable.

  • Prepare and submit a Notifiable Data Breach statement to the OAIC
  • Notify affected individuals directly where possible
  • Include a description of the breach, the type of information involved, and recommended steps
  • If direct notification is not practicable, publish a statement on our website
04

Review

Conduct a post-incident review to understand what happened and prevent future breaches.

  • Investigate the root cause
  • Update security controls and procedures
  • Review staff training and awareness
  • Document lessons learned
  • Update the breach register
05

Our Obligations as an MSP

As a Managed Service Provider, Communicat IT has a dual role in data breach management:

  • Our own client data

    Where we hold personal information as a principal (e.g. client contact details, billing information), we are directly responsible for NDB compliance, including notification to the OAIC and affected individuals.

  • Data we process on behalf of clients

    Where we manage client infrastructure, hosting, backups, or email, we will notify affected client organisations promptly so they can meet their own NDB obligations. We commit to notifying affected clients within 24 hours of confirming a breach and will provide forensic information and logs to assist their response.

06

Internal Escalation

If a data breach is known or suspected by any Communicat team member, they must alert the Managing Director within 24 hours, providing:

  • When the breach occurred or was discovered
  • What type of personal information is affected
  • The cause of the breach (if known)
  • Which systems may be affected
  • Whether any corrective action has already been taken
  • The potential number of individuals affected
07

Preventive Measures

Prevention is the most effective form of data breach management. We maintain the following measures to reduce the risk of breaches occurring:

  • Security controls

    Encryption, multi-factor authentication, access controls, and network segmentation aligned to security best practices.

  • Monitoring and detection

    Continuous monitoring of systems and infrastructure to detect anomalous activity and potential breaches early.

  • Staff training

    Regular security awareness training for all team members covering phishing, social engineering, and data handling procedures.

  • Vendor management

    Security requirements in contracts with third-party suppliers and sub-processors who may handle personal information on our behalf.

  • Regular assessments

    Periodic security assessments and audits to identify and address vulnerabilities before they can be exploited.

  • Breach register

    We maintain a register of all data breaches, including those that do not meet the threshold for notification, as recommended by the OAIC.

08

Your Rights

If you believe your personal information has been compromised in a data breach involving Communicat IT, you have the right to:

  • Be notified if the breach is an eligible data breach under the NDB scheme
  • Receive information about the breach and recommended steps to protect yourself
  • Lodge a complaint with Communicat IT
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by phone on 1300 363 992
09

Contact Us

For all matters related to privacy and data breaches, including complaints about breaches of privacy, please contact us:

  • Email: support@communicat.com.au
  • Phone: (03) 9320 0000 (local) or 1300 766 393 (national)
  • Address: Level 2, 461 Williamstown Road, Port Melbourne, VIC 3207
10

Policy Review

This policy is reviewed annually or when there are changes to relevant legislation. It was last reviewed in April 2025.

Related policies