Strong data management is integral to the operation of businesses and government agencies worldwide. At the same time, data analysis has been widely recognised for its value as fuel for innovation.
This noted, one of the biggest risks organisations face with data management is a data breach. A data breach involving personal information can put affected individuals at risk of serious harm and consequently damage an organisation’s reputation.
To support this protection, on 23 February 2018 and for the first time in Australia, those subject to the Privacy Act 1988 (Cth) (the Privacy Act) now have a mandatory obligation to promptly report eligible data breaches to both the Office of the Australian Information Commissioner (OAIC) and any individuals who may be potentially affected by the data breach.
Mandatory data breach notification is designed to protect the individuals affected by a data breach so that they may take the necessary steps and measures to protect themselves from any harm or damage.
We believe notifying affected individuals is simply good privacy practice as it gives each person the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputationby displaying transparency and openness.
Examples of an eligible data breach could be:
If you believe there is an eligible data breach, there is a requirement to provide notification as soon as practicable.
The notification obligation involves a two-step process.
The notification statement must set out:
Organisations with a turnover less than $3 million a year will fall outside the legislation.
Noting this, however, the Privacy Actdoes apply to some types of businesses with an annual turnover of less than$3 million so the new laws may still apply. These businesses can include health service providers, gyms, child care centres, private schools, businesses that sell or purchase personal information and credit reporting bodies.
We recommend you confirm your status with OAIC.
First of all, don’t panic! Experts are reporting that as many as 44 per cent of eligible Australian enterprises are not yet ready to comply with the new changes. This said, you need to get your business up to compliance as soon as possible.
Eligible organisations should be proactive and take appropriate and reasonable steps to ensure the security of personal information. It will, of course, depend on the circumstances and be determined by the following:
Noting this, as guidance, the OAIC has advised that reasonable steps would include:
Yes. If you don’t comply with the notification obligation, you may be subject to anything from investigations, or in the case of serious and repeated non-compliance, substantial civil penalties.
In saying this, we believe not acting to protect the information of someone in your ‘care’ is simply bad practice and penalties should apply.
If you have any questions on the new laws or would like to discuss any elements surrounding them, please contact us at Lawbase.