Data Breach Response Policy

1. Purpose

This policy outlines how SupportPath (operated by Polished Surfaces Pty Ltd, ABN 60 690 408 854) identifies, responds to, and reports data breaches in accordance with the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme.

Under the NDB scheme, organisations covered by the Privacy Act must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to any individuals whose personal information is involved.

2. What Is a Data Breach

A data breach occurs when personal information held by SupportPath is:

• Accessed by an unauthorised person (e.g. hacking, stolen credentials);
• Disclosed to an unauthorised person (e.g. accidental email, misconfigured access);
• Lost in circumstances where unauthorised access is likely (e.g. lost device containing user data).

A breach is notifiable if it is likely to result in serious harm to one or more individuals. Serious harm includes identity theft, financial loss, physical harm, psychological harm, or reputational damage.

3. Our Response Process

When a suspected data breach is identified, SupportPath follows this process:

Step 1: Contain

Take immediate steps to contain the breach and limit further exposure. This may include disabling compromised accounts, revoking API keys, blocking IP addresses, or taking systems offline.

Step 2: Assess

Conduct a rapid assessment of the breach to determine:

• What personal information was involved;
• How many individuals are affected;
• The cause of the breach;
• Whether the breach is likely to result in serious harm;
• Whether any remedial action can reduce the risk of harm.

This assessment must be completed within 30 days of becoming aware of the breach, as required by the Privacy Act.

Step 3: Notify

If the assessment determines that the breach is likely to result in serious harm:

• Notify the OAIC as soon as practicable via the Notifiable Data Breach reporting form at oaic.gov.au;
• Notify affected individuals directly (by email where possible), describing the breach, the information involved, and recommended steps they can take to protect themselves;
• If it is not practicable to notify individuals directly, publish a notification on our website and take reasonable steps to bring it to the attention of affected individuals.

Step 4: Prevent

After the breach is resolved, conduct a post-incident review to:

• Identify root causes;
• Implement additional security controls to prevent recurrence;
• Update internal policies and training as needed;
• Document the incident and response for compliance records.

4. Types of Information We Hold

SupportPath holds the following categories of personal information that may be involved in a data breach:

• Names, email addresses, and phone numbers of providers and families;
• ABNs and NDIS registration numbers of providers;
• Messages between families and providers;
• Verification documents (screening checks, WWCC, qualifications);
• Payment information (processed by Stripe — we do not store card numbers);
• IP addresses and browser information;
• Incident reports (which may contain sensitive health information).

5. Security Measures

SupportPath implements the following measures to minimise the risk of data breaches:

• Encryption of all data in transit (TLS 1.3) and at rest;
• Row-level security on database tables;
• Secure authentication with hashed passwords;
• Regular security reviews and access audits;
• Anti-scraping and bot detection systems;
• Principle of least privilege for all system access;
• Secure file storage with access controls for verification documents;
• Automated monitoring for suspicious activity.

6. Reporting a Suspected Breach

If you believe there has been a data breach affecting your personal information on SupportPath, or if you discover a security vulnerability, please contact us immediately:

We will acknowledge your report within 24 hours and commence our assessment immediately.

7. OAIC Contact

If you are concerned about how SupportPath has handled a data breach, you may contact the Office of the Australian Information Commissioner directly: