Skip to main content
Note:

Digital.govt.nz will be offline for maintenance on Tuesday 4 October from 5pm to 6pm.

Incident response roles and responsibilities

An incident response plan clearly sets out the roles and responsibilities of those involved in the incident response.

Privacy incident roles

While these roles and responsibilities will vary from agency to agency, the following list indicates the high-level responsibilities of various groups involved in an incident response.

This list is a prompt for further thinking and is not exhaustive.

Privacy officer

Planning for a privacy breach

  • Compile the relevant information required to prepare the incident response plan (for example, data and third party inventories).
  • Lead the preparation, drafting and adoption of the incident response plan.
  • Facilitate table-top exercises to test the effectiveness of the incident response plan.

During a privacy breach

  • Assist with assessing the privacy impact and risks associated with the incident.
  • Contribute to decisions regarding engagement with key stakeholders, including Office of the Privacy Commissioner, Government Chief Privacy Officer, and affected individuals.

Information security and ICT

Planning for a privacy breach

  • Provide input into the incident response plan regarding detection, containment and assessment of the incident.

During a privacy breach

  • Address data breaches and carry out forensic investigations.

Legal

Planning for a privacy breach

  • Review the incident response plan to ensure it complies with all applicable laws.

During a privacy breach

  • Assist with any legal issues and queries associated with the incident.

Communications

Planning for a privacy breach

  • Contribute to the drafting of prepared key messages addressing a range of potential incidents that can be adapted for different stakeholders.
  • Develop a communications plan that includes how to manage media and public enquiries.

During a privacy breach

  • Implement the communications plan.
  • Address media and public enquiries.
  • Amend and publish prepared key messages for different stakeholders.

Risk and assurance

Planning for a privacy breach

  • Assist with the development of severity ratings and escalation triggers.
  • Ensure the incident response plan is consistent with the agency’s risk management approach and strategy.

During a privacy breach

  • Assist with assessing the privacy impact and risks associated with the incident.

Service delivery/operations

Planning for a privacy breach

  • Advise about relationship management with customers, clients and others.
  • Advise about impacts to the agency, customers, clients and others.

During a privacy breach

  • Ensure the response team has access to the resources required to appropriately manage the response.

Senior leadership team

Planning for a privacy breach

  • Understand their role and responsibilities in the incident plan.
  • Review and approve the incident plan.

During a privacy breach

  • Ensure the response team has access to the resources required to appropriately manage the response.
  • Publicly comment on the privacy incident when required.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated