A framework for data privacy and security accountability in data breach communications

Abstract

Organisations need to take steps to protect the privacy and security of the personal information they hold. However, when data is breached, how do individuals know whether the organisation took reasonable steps to protect their data? When breached organisations notify affected individuals, this communication is likely to be one of the few windows into the incident from the outside and can become an important artefact for research. This desktop study aimed to consider the extent to which publicly available Australian data breach communications reflect data privacy and security best practices. This paper presents a brief review of literature and government guidance on data security and privacy best practices, along with the results of a qualitative content analysis of 33 publicly available Australian data breach communications. This analysis illustrated that there was little reflection of data privacy and security practices. Literature, government guidance and the content analysis were used to inform and develop a new voluntary framework for organisations. This consists of a series of evaluation questions divided into two broad categories: responsible data management and responsible portrayal of the breach. The framework has the potential to help organisations plan the inclusion of data privacy and security management aspects in their data breach communications. This could assist organisations to address their legal and ethical responsibility to account for their actions in managing privacy and security of the personal data they hold.