iHelp IT
Business IT Services - 100% Australian Owned and Operated

New Mandatory Data Breach Notification Laws

February 28, 2018
Catherine Higgins from Lawbase

New Mandatory Data Breach Notification laws came into effect during February. Catherine Higgins from Lawbase explains how these laws affect you, and what you need to do in the event of a breach.

Why are they needed?

Strong data management is integral to the operation of businesses and government agencies worldwide.  At the same time, data analysis has been widely recognised for its value as fuel for innovation.

This noted, one of the biggest risks organisations face with data management is a data breach.  A data breach involving personal information can put affected individuals at risk of serious harm and consequently damage an organisation’s reputation.

A change to the law

To support this protection, on 23 February 2018 and for the first time in Australia, those subject to the Privacy Act 1988 (Cth) (the Privacy Act) now have a mandatory obligation to promptly report eligible data breaches to both the Office of the Australian Information plainmissioner (OAIC) and any individuals who may be potentially affected by the data breach.

Mandatory data breach notification is designed to protect the individuals affected by a data breach so that they may take the necessary steps and measures to protect themselves from any harm or damage.

We believe notifying affected individuals is simply good privacy practice as it gives each person the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency and openness.

Examples of an eligible data breach could be:

Notification obligations

If you believe there is an eligible data breach, there is a requirement to provide notification as soon as practicable.

The notification obligation involves a two-step process.

The notification statement must set out:

Will the new laws affect me?

Organisations with a turnover less than $3 million a year will fall outside the legislation.

Noting this, however, the Privacy Act does apply to some types of businesses with an annual turnover of less than $3 million so the new laws may still apply.  These businesses can include health service providers, gyms, child care centres, private schools, businesses that sell or purchase personal information and credit reporting bodies.

We recommend you confirm your status with OAIC.

How do I prepare if I’m impacted by these new laws?

First of all, don’t panic!  Experts are reporting that as many as 44 per cent of eligible Australian enterprises are not yet ready to comply with the new changes.  This said, you need to get your business up to compliance as soon as possible.

Taking reasonable steps to minimise risk

Eligible organisations should be proactive and take appropriate and reasonable steps to ensure the security of personal information.  It will, of course, depend on the circumstances and be determined by the following:

Noting this, as guidance, the OAIC has advised that reasonable steps would include:

The Guide

For those that have begun the above process or those that need to act quickly to become compliant, we strongly recommend you review the OAIC Guide.  It has been prepared to assist Australian Government agencies and private sector organisations prepare for and respond to data breaches in line with their obligations under the Privacy Act.

As an overview, it is broken into five key parts.

Part 1: Data breaches and the Australian Privacy Act

This section outlines the requirements of the Privacy Act that relate to personal information security and data breach response strategy.  The principles contained within the Privacy Act for the handling of personal information may be adopted by any entity to lower the risk of a data breach occurring and to effectively reduce the impact of a data breach.

Part 2: Preparing a data breach response plan

The faster you respond to a data breach, the more likely it is to limit any negative consequences.  A data breach response plan is essential to enable a swift response and ensure that any legal obligations are met following a data breach.

Part 3: Responding to data breaches — Four key steps

An effective data breach response generally follows a four-step process — contain, assess, notify, and review.  This part of the guide outlines key considerations for each of these steps to assist entities in preparing an effective data breach response.

Part 4: Notifiable Data Breaches (NDB)

This section outlines the requirements of the NDB scheme under the Privacy Act.  The NDB scheme contains mandatory data breach reporting obligations in relation to certain data breaches, and requirements to assess suspected data breaches.

Part 5: Other sources of information

The obligations of the Privacy Act in relation to data breaches co-exist with other reporting obligations.  This section assists entities in identifying where they can find information about other data breach reporting requirements

Are there any penalties if I don’t meet my requirements?

Yes.  If you don’t comply with the notification obligation, you may be subject to anything from investigations, or in the case of serious and repeated non-compliance, substantial civil penalties.

In saying this, we believe not acting to protect the information of someone in your ‘care’ is simply bad practice and penalties should apply.

If you have any questions on the new laws or would like to discuss any elements surrounding them, please contact the author, Catherine Higgins, at Lawbase (lawbase.com.au).

Read more

Best in Breed Solutions

Stop coronavirus killing your business

The importance of power

On Device Management

Real heroes save the future

Time to replace your Mac Server

Make your Mac run faster

Can an iPad replace your Mac?

Scam: “I know your password”

Get 3 Years of Tax Deductions in 3 Weeks!

© Copyright iHelp IT - All Rights Reserved
RatesTerms and Conditions
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram