New Mandatory Data Breach Notification laws came into effect during February. Catherine Higgins from Lawbase explains how these laws affect you, and what you need to do in the event of a breach.
Strong data management is integral to the operation of businesses and government agencies worldwide. At the same time, data analysis has been widely recognised for its value as fuel for innovation.
This noted, one of the biggest risks organisations face with data management is a data breach. A data breach involving personal information can put affected individuals at risk of serious harm and consequently damage an organisation’s reputation.
To support this protection, on 23 February 2018 and for the first time in Australia, those subject to the Privacy Act 1988 (Cth) (the Privacy Act) now have a mandatory obligation to promptly report eligible data breaches to both the Office of the Australian Information plainmissioner (OAIC) and any individuals who may be potentially affected by the data breach.
Mandatory data breach notification is designed to protect the individuals affected by a data breach so that they may take the necessary steps and measures to protect themselves from any harm or damage.
We believe notifying affected individuals is simply good privacy practice as it gives each person the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency and openness.
Examples of an eligible data breach could be:
If you believe there is an eligible data breach, there is a requirement to provide notification as soon as practicable.
The notification obligation involves a two-step process.
The notification statement must set out:
Organisations with a turnover less than $3 million a year will fall outside the legislation.
Noting this, however, the Privacy Act does apply to some types of businesses with an annual turnover of less than $3 million so the new laws may still apply. These businesses can include health service providers, gyms, child care centres, private schools, businesses that sell or purchase personal information and credit reporting bodies.
We recommend you confirm your status with OAIC.
First of all, don’t panic! Experts are reporting that as many as 44 per cent of eligible Australian enterprises are not yet ready to comply with the new changes. This said, you need to get your business up to compliance as soon as possible.
Eligible organisations should be proactive and take appropriate and reasonable steps to ensure the security of personal information. It will, of course, depend on the circumstances and be determined by the following:
Noting this, as guidance, the OAIC has advised that reasonable steps would include:
For those that have begun the above process or those that need to act quickly to become compliant, we strongly recommend you review the OAIC Guide. It has been prepared to assist Australian Government agencies and private sector organisations prepare for and respond to data breaches in line with their obligations under the Privacy Act.
As an overview, it is broken into five key parts.
This section outlines the requirements of the Privacy Act that relate to personal information security and data breach response strategy. The principles contained within the Privacy Act for the handling of personal information may be adopted by any entity to lower the risk of a data breach occurring and to effectively reduce the impact of a data breach.
The faster you respond to a data breach, the more likely it is to limit any negative consequences. A data breach response plan is essential to enable a swift response and ensure that any legal obligations are met following a data breach.
An effective data breach response generally follows a four-step process — contain, assess, notify, and review. This part of the guide outlines key considerations for each of these steps to assist entities in preparing an effective data breach response.
This section outlines the requirements of the NDB scheme under the Privacy Act. The NDB scheme contains mandatory data breach reporting obligations in relation to certain data breaches, and requirements to assess suspected data breaches.
The obligations of the Privacy Act in relation to data breaches co-exist with other reporting obligations. This section assists entities in identifying where they can find information about other data breach reporting requirements
Yes. If you don’t comply with the notification obligation, you may be subject to anything from investigations, or in the case of serious and repeated non-compliance, substantial civil penalties.
In saying this, we believe not acting to protect the information of someone in your ‘care’ is simply bad practice and penalties should apply.
If you have any questions on the new laws or would like to discuss any elements surrounding them, please contact the author, Catherine Higgins, at Lawbase (lawbase.com.au).