Smap Consulting Pty Ltd — effective 23 May 2026
This procedure describes how Smap Consulting Pty Ltd detects, responds to, and notifies affected parties of personal data breaches. It applies to all Smap staff, contractors, and subcontractors who handle personal data in connection with Smap's software platform (SmapServer, WebForms, FieldTask) and any hosted or client-deployed instances that Smap has access to for support purposes.
Smap typically acts as a Data Processor on behalf of its clients, who are the Data Controllers. This procedure reflects that role. Where Smap also holds personal data in its own right (for example, contact details of client staff), Smap acts as Data Controller for that data.
A personal data breach is any accidental or unlawful event that leads to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data. Examples include:
Any Smap staff member or contractor who discovers or suspects a data breach must report it immediately to the Smap principal (Neil Penman, neilpenman@smap.com.au). Reports should include as much detail as is known at the time: what data may be affected, how the breach occurred, when it was discovered, and how many individuals may be affected.
No attempt should be made to conceal or delay reporting a suspected breach.
On receiving a breach report the Smap principal will assess:
Breaches will be classified as high, medium, or low risk based on this assessment. A high-risk classification applies where there is a real risk of significant harm to individuals.
Immediate containment steps will be taken as soon as a breach is confirmed. These may include:
A remediation plan will be documented and implemented to prevent recurrence.
Where Smap is acting as Data Processor, the affected client (Data Controller) will be notified without undue delay and in any event within 24 hours of Smap confirming that a breach has occurred. Notification will be made by email to the client's designated contact and will include:
Where full details are not available within 24 hours, an initial notification will be sent with the information available, followed by further updates as the investigation proceeds. The Data Controller is then responsible for determining whether and how to notify their supervisory authority (for example, under GDPR the controller has 72 hours from becoming aware of the breach).
Notification to affected individuals is the responsibility of the Data Controller. Smap will provide all reasonable assistance to the controller in preparing such notifications where requested.
Where Smap is acting as Data Controller in its own right and a high-risk breach affects individuals directly, Smap will notify those individuals without undue delay.
All breaches, including those assessed as low risk and not requiring external notification, will be recorded internally. The record will include: the date of discovery, a description of the breach, the assessment outcome, actions taken, and the outcome of any notification. Records are retained for a minimum of three years.
Following any medium or high-risk breach, Smap will conduct a post-incident review to identify root causes and implement preventive measures. Findings will be documented and any resulting changes to software, configuration, or procedure will be tracked to completion.
To report a suspected data breach or to request information about this procedure, contact:
Neil Penman
Smap Consulting Pty Ltd
neilpenman@smap.com.au
| Revision Date | Version Number | Changes |
|---|---|---|
| 2026-05-23 | 1 | Created |