The new Mandatory Data Breach Notification Laws are here.
Why are they needed?
Strong data management is integral to the operation of businesses and government agencies worldwide. At the same time, data analysis has been widely recognised for its value as fuel for innovation.
This noted, one of the biggest risks organisations face with data management is a data breach. A data breach involving personal information can put affected individuals at risk of serious harm and consequently damage an organisation’s reputation.
A change to the law
To support this protection, on 23 February 2018 and for the first time in Australia, those subject to the Privacy Act 1988 (Cth) (the Privacy Act) now have a mandatory obligation to promptly report eligible data breaches to both the Office of the Australian Information Commissioner (OAIC) and any individuals who may be potentially affected by the data breach.
Mandatory data breach notification is designed to protect the individuals affected by a data breach so that they may take the necessary steps and measures to protect themselves from any harm or damage.
We believe notifying affected individuals is simply good privacy practice as it gives each person the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputationby displaying transparency and openness.
Examples of an eligible data breach could be:
- There is unauthorised access or unauthorised disclosure of personal information
- Personal information is lost in circumstances where unauthorised access or unauthorised disclosure of the information is likely to occur
- A reasonable person would determine that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
If you believe there is an eligible data breach, there is a requirement to provide notification as soon as practicable.
The notification obligation involves a two-step process.
- The organisation must prepare a statement containing certain (prescribed) information about the data breach and provide it to the OAIC
- The organisation must then notify the affected individuals.
The notification statement must set out:
- The identity and contact details of the organisation
- A description of the eligible data breach
- The kind or kinds of information concerned
- Recommendations about the steps the individuals should take in response to the eligible data breach.
Will the new laws affect me?
Organisations with a turnover less than $3 million a year will fall outside the legislation.
Noting this, however, the Privacy Actdoes apply to some types of businesses with an annual turnover of less than$3 million so the new laws may still apply. These businesses can include health service providers, gyms, child care centres, private schools, businesses that sell or purchase personal information and credit reporting bodies.
We recommend you confirm your status with OAIC.
How do I prepare if I’m impacted by these new laws?
First of all, don’t panic! Experts are reporting that as many as 44 per cent of eligible Australian enterprises are not yet ready to comply with the new changes. This said, you need to get your business up to compliance as soon as possible.
Taking reasonable steps to minimise risk
Eligible organisations should be proactive and take appropriate and reasonable steps to ensure the security of personal information. It will, of course, depend on the circumstances and be determined by the following:
- The nature of the entity holding the personal information
- The amount and sensitivity of the personal information held
- The possible adverse consequences for an individual
- The information handling practices of the entity holding the information
- The practicability of implementing the security measure, including the time and cost involved
- Whether a security measure is itself privacy invasive.
Noting this, as guidance, the OAIC has advised that reasonable steps would include:
- Performing or conducting Privacy Impact Assessments
- Implementing Privacy by Design principles
- Performing information security risk assessments
- Having a comprehensive and up to date set of information security policies
- Restricting physical and logical access to personal information on a “need-to-know” basis
- Keeping your software up to date and current
- Employing multi factor authentication
- Configuring your systems for security
- Employingend point security software
- Security monitoring tools to detect breaches
- Using network security tools
- Penetration testing exercises
- Vulnerability assessments
- Having a data breach response process
Are there any penalties if I don’t meet my requirements?
Yes. If you don’t comply with the notification obligation, you may be subject to anything from investigations, or in the case of serious and repeated non-compliance, substantial civil penalties.
In saying this, we believe not acting to protect the information of someone in your ‘care’ is simply bad practice and penalties should apply.
If you have any questions on the new laws or would like to discuss any elements surrounding them, please contact us at Lawbase.