With the imminent introduction of new data breach laws, Australian organisations have a codified responsibility to look after the information of their clients. Failure to do so could result in severe penalties, including fines of up to $2.1 million and payments of compensation to affected parties.here is also the risk of reputational damage which could affect the ability for your organisation to continue doing business.
But, with the right approach and the right measures in place to understand the data which you need to protect, there should be nothing to fear from the 22 February 2018 introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2017.
Let’s first look at the organisations to which the new laws apply; they are broad and include:
- Australian Government agencies
- Businesses and not-for-profit organisations with an annual turnover of more than $3 million.
- Private sector health services providers (even alternative medicine practices, gyms and weight loss clinics fall under this category)
- Child care centres, private schools and private tertiary educational institutions.
- Businesses that sell or purchase personal information along with credit reporting bodies.
It is then important to understand what is meant by a ‘data breach’. Again, this is broad and can include even apparently arbitrary events which can compromise customer information. Examples include:
- Lost or stolen laptops, removable storage devices, or paper records containing personal information
- Hard disk drives and other digital storage media (integrated in other devices, for example, multifunction printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased
- Databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside of the agency or organisation
- Employees accessing or disclosing personal information outside the requirements or authorisation of their employment
- Paper records stolen from insecure recycling or garbage bins
- An agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address, and;
- An individual deceiving an agency or organisation into improperly releasing the personal information of another person.
If any of these kinds of events occur and are likely to result in serious harm, it is necessary for your organisation to notify the Office of the Australian Information Commissioner (OAIC).
Determining if the breach is likely to result in serious harm is therefore important. Data breaches eligible for notification fulfil three criteria:
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that your organisation holds.
- This is likely to result in serious harm to one or more individuals.
- Your organisation has not been able to prevent the likely risk of serious harm with remedial action.
Your Next Steps
We’re here to help prevent you from finding yourself in a position where you must notify the OAIC of a data breach (and then deal with the possibility of a fine and other repercussions).
1. The first step is to understand your legal obligations. Within your organisation you need to have a full understanding of where you are with your technology and security policies. These need to be aligned with OAIC's strict guidelines.
2. The second step to compliance is to identify where the gaps lay within your organisations policies.
3. The solution needs to be determined to mitigate the gaps.
4. Actions need to be prioritised to ensure that you are able to effectively stand within OAIC's guidelines.
We are here to assist you with the creation of new and appropriate data management policies. The new laws are set to come into force in a matter of weeks. Click here to book an obligation free conversation with one of our experts.
When it comes to changes as drastic as this, make sure your organisation is compliant – and never has to go to the OAIC with a notifiable breach.