<img height="1" width="1" style="display:none" src="https://q.quora.com/_/ad/1fa075f6a9144556974dd51ae0b653c7/pixel?tag=ViewContent&amp;noscript=1">
All Posts

Don't fall foul of Australia's new data breach laws

Mandatory Data Breach Laws

With the imminent introduction of new data breach laws, Australian organisations have a codified responsibility to look after the information of their clients. Failure to do so could result in severe penalties, including fines of up to $2.1 million and payments of compensation to affected parties.here is also the risk of reputational damage which could affect the ability for your organisation to continue doing business.

But, with the right approach and the right measures in place to understand the data which you need to protect, there should be nothing to fear from the 22 February 2018 introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2017.

Let’s first look at the organisations to which the new laws apply; they are broad and include:

  • Australian Government agencies 
  • Businesses and not-for-profit organisations with an annual turnover of more than $3 million.
  • Private sector health services providers (even alternative medicine practices, gyms and weight loss clinics fall under this category) 
  • Child care centres, private schools and private tertiary educational institutions. 
  • Businesses that sell or purchase personal information along with credit reporting bodies. 

It is then important to understand what is meant by a ‘data breach’. Again, this is broad and can include even apparently arbitrary events which can compromise customer information. Examples include: 

  • Lost or stolen laptops, removable storage devices, or paper records containing personal information 
  • Hard disk drives and other digital storage media (integrated in other devices, for example, multifunction printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased 
  • Databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside of the agency or organisation 
  • Employees accessing or disclosing personal information outside the requirements or authorisation of their employment 
  • Paper records stolen from insecure recycling or garbage bins 
  • An agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address, and;
  • An individual deceiving an agency or organisation into improperly releasing the personal information of another person. 

If any of these kinds of events occur and are likely to result in serious harm, it is necessary for your organisation to notify the Office of the Australian Information Commissioner (OAIC).

Determining if the breach is likely to result in serious harm is therefore important. Data breaches eligible for notification fulfil three criteria: 

  • There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that your organisation holds. 
  • This is likely to result in serious harm to one or more individuals.
  • Your organisation has not been able to prevent the likely risk of serious harm with remedial action.

Your Next Steps

We’re here to help prevent you from finding yourself in a position where you must notify the OAIC of a data breach (and then deal with the possibility of a fine and other repercussions).

1. The first step is to understand your legal obligations.  Within your organisation you need to have a full understanding of where you are with your technology and security policies. These need to be aligned with OAIC's strict guidelines. 

2. The second step to compliance is to identify where the gaps lay within your organisations policies. 

3. The solution needs to be determined to mitigate the gaps. 

4. Actions need to be prioritised to ensure that you are able to effectively stand within OAIC's guidelines. 

We are here to assist you with the creation of new and appropriate data management policies. The new laws are set to come into force in a matter of weeks. Click here to book an obligation free conversation with one of our experts.

When it comes to changes as drastic as this, make sure your organisation is compliant – and never has to go to the OAIC with a notifiable breach. 

Related Posts

5 Reasons Your Disaster Recovery Plan Will Fail

A Disaster Recovery Plan is like an insurance policy. It’s the thing you never hope to need, but are thankful to have when you do. If accidentally putting your phone through the wash feels like a chilly Spring breeze, suffering an organisation–wide operations failure would be a category 5 tornado in the dead of winter. That insurance with the help of IT Managed Services would come in handy, wouldn’t it? For something so critical to maintaining the function and security of a business, you’d be surprised just how many don’t take disaster recovery seriously. You might even be one of them. And you’re not alone. 40% of all businesses rate their organisation’s ability to swiftly recover operations after a disaster as fair to poor, and 3 out of 4 businesses receive a fail grading for DR strategy. Ironically, 95% of businesses experience system failures due to incidents unrelated to natural disasters. These operational disasters account for 45% of all system disasters, with natural disasters and human error accounting for 35% and 19%. And then there’s that 1% of freak, what the hell just happened?!?! occurrences. So if the chance of suffering some kind of system disaster is so high, why aren’t more businesses investing in an effective DRP? Think you’ve got DR covered on your own? Here are 5 reasons your disaster recovery plan will fail.

Techware Rebranded

We’ve been working hard on this project and are extremely proud to be revealing our refreshed branding in 2019!

Anatomy of Attack - What a successful attack looks like

Trent: Welcome back to TechScoop, thankyou for joining us now today I am joined by an exceptionally special guest Mr Ryan Economos from Mimecast. Thanks for joiing us Ryan, good to see you again.