ShiftSync

Data Breach Response Policy

Version 1.0 — Last updated 14 March 2026

Data Breach Response Policy

Effective Date: March 2026

ShiftSync Pty Ltd ("ShiftSync", "we", "us", "our") is committed to protecting the personal information of our users. This policy outlines our procedures for detecting, assessing, and responding to data breaches in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

1. What Is a Data Breach?

A data breach occurs when personal information held by ShiftSync is subject to unauthorised access, disclosure, or loss. This includes:

  • Unauthorised access to databases or systems containing personal information
  • Accidental disclosure of personal information to unintended recipients
  • Loss of devices or storage media containing personal information
  • Cyber security incidents such as hacking, malware, or phishing attacks
  • Employee misconduct involving personal information

2. What Is an Eligible Data Breach?

Under the NDB scheme, a data breach is an "eligible data breach" if:

  • There is unauthorised access to, disclosure of, or loss of personal information
  • A reasonable person would conclude that the breach is likely to result in serious harm to any of the individuals whose information is involved
  • The organisation has not been able to prevent the likely risk of serious harm through remedial action

3. Breach Detection and Reporting

We maintain systems and processes to detect potential data breaches, including:

  • Automated monitoring and alerting for unusual system activity
  • Audit logging of all administrative and data access actions
  • Regular security assessments and vulnerability scanning
  • Staff training on identifying and reporting potential breaches

Any person (employee, contractor, or user) who suspects a data breach should immediately report it to our security team at security@shiftsync.com.au.

4. Breach Assessment (72-Hour Window)

Upon becoming aware of a suspected data breach, we will:

  1. Contain the breach — Take immediate steps to limit the scope and impact of the breach
  2. Assess the breach — Within 72 hours, conduct an assessment to determine whether the breach is an eligible data breach, including evaluating the type of information involved, the likely risk of serious harm, and the number of individuals affected
  3. Document findings — Record all details of the breach and assessment in our breach register

5. Notification to the OAIC

If we determine that an eligible data breach has occurred, we will notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable. The notification will include:

  • Our identity and contact details
  • A description of the breach
  • The type of information involved
  • Recommendations for individuals to take in response to the breach

Notifications can be made to the OAIC via:

6. Notification to Affected Individuals

If an eligible data breach occurs, we will notify affected individuals as soon as practicable. The notification will include:

  • A description of the breach in plain language
  • The types of personal information involved
  • Recommendations about steps individuals should take in response (e.g., changing passwords, monitoring accounts)
  • Contact details for further information and support

We will notify individuals via their registered email address. Where email is not available, we will use alternative contact methods or publish a notice on our website.

7. Remediation

Following a data breach, we will:

  • Implement measures to prevent similar breaches in the future
  • Review and update our security practices as necessary
  • Conduct a post-incident review to identify lessons learned
  • Update this policy and related procedures if required

8. Record Keeping

We maintain a register of all data breaches (including non-eligible breaches) for a minimum of 5 years. This register includes:

  • Date the breach was detected
  • Nature and extent of the breach
  • Assessment outcome
  • Actions taken in response
  • Notifications made

9. Reporting a Suspected Breach

If you believe your personal information held by ShiftSync has been compromised, please contact us immediately:

  • Email: security@shiftsync.com.au
  • Website: www.shiftsync.com.au

10. Contact Us

For questions about this Data Breach Response Policy:

  • Email: privacy@shiftsync.com.au
  • Website: www.shiftsync.com.au
ShiftSync Assistant

G'day! I'm the ShiftSync assistant. How can I help you today? You can ask me about pricing, features, compliance, or anything else.