Data Breach Response Procedure

Status: v1.0
Tier: Tier 1 – Core Corporate & Platform Policy
Owner: Governance and Compliance Function
Approval Authority: Board of Directors
Effective Date: 5 January 2026
Next Review: 12 months from approval

1. Purpose

This procedure sets out how Global Talent Pathway identifies, assesses, responds to, and manages data breaches, including breaches involving personal or sensitive information.

It is designed to meet obligations under Australia’s Notifiable Data Breaches (NDB) scheme and comparable international requirements.

2. What Is a Data Breach

A data breach occurs when information is:

  • accessed or disclosed without authorisation, or

  • lost in circumstances likely to result in unauthorised access or disclosure.

Breaches may result from cyber incidents, human error, system failures, or malicious acts.

3. Immediate Response

Upon becoming aware of a suspected data breach, Global Talent Pathway will:

  • Contain the incident where possible to prevent further unauthorised access or disclosure.

  • Preserve evidence relevant to the incident.

  • Escalate the incident promptly to designated management and security contacts.

All personnel must report suspected breaches without delay.

4. Assessment

An assessment will be conducted to determine:

  • what information was affected,

  • whether personal or sensitive information was involved,

  • the likelihood of serious harm to individuals, and

  • whether notification is required under applicable law.

The assessment and outcome are documented.

5. Notification

Where a breach is likely to result in serious harm, Global Talent Pathway will:

  • notify affected individuals as soon as practicable, and

  • notify the Office of the Australian Information Commissioner (OAIC) or other relevant regulators as required.

Notifications will include:

  • a description of the breach,

  • the types of information involved, and

  • recommended steps to mitigate harm.

6. Remediation and Prevention

Following a breach, Global Talent Pathway will:

  • take steps to reduce the risk of harm,

  • address control weaknesses, and

  • implement corrective actions to prevent recurrence.

7. Recordkeeping

All data breaches, including those not requiring notification, are recorded internally.

Records include:

  • incident details,

  • assessment outcomes,

  • actions taken, and

  • notifications made.

8. Review and Escalation

Significant incidents and trends are reviewed by management and escalated to executive leadership or the Board where appropriate.

This procedure is reviewed periodically.