This is our second post on the Notifiable Data Breaches Scheme.
Amendments made to the Privacy Act 1988 (Cth) this year, create new obligations for certain Australian business entities and organisations with respect to data beach notifications.
The changes will come into effect on 22 February 2018.
Will my business be affected by the Scheme?
Only government agencies, companies, businesses and organisations that are ‘APP entities’ who already have obligations with respect to personal information under the Privacy Act will be affected by the Scheme.
Generally speaking, this includes federal government agencies, private sector and not-for profit organisations that have an annual turnover in excess of $3 million as well as certain businesses with an annual turnover of less than $3 million (small businesses) that handle personal information.
If you are unsure of whether you are an APP entity, seek professional advice.
What new data handling obligations does the Scheme impose on entities?
When entities identify that a ‘serious data breach’ has occurred they will be required to notify both the Privacy Commissioner and affected customers, as soon as they become aware of it.
A data breach means any unauthorised access, unauthorised disclosure or loss of personal data. This includes scenarios where:
1. An unauthorised employee, independent contractor or hacker gains access to personal information of an entity’s customers;
2. Sensitive personal information held by a health service provider is inadvertently made public due to a technical error, removing the entity’s control over the information; or
3. An employee inadvertently leaves an unsecured memory stick, device or hard copies containing employee information on public transport.
Must all breaches be reported?
No. The Scheme only requires breaches that are considered ‘serious’ to be reported. A ‘serious’ data breach is one that is likely (more probable than not) to result in serious harm to an individual whose personal information is accessed, disclosed or lost.
When determining whether a breach is serious, an entity should consider:
• the type of information involved
• its level of sensitivity
• whether it is security protected
• the type of persons who are likely to have obtained the information
• the recipient’s intentions, and
• the nature of the potential harm.
There are also circumstances specified in the act, under which an entity may not be required to report a serious data breach.
What do I need to tell my customers?
Customers and other individuals who are affected by the data breach must be provided with information about:
• the type of data breach that occurred,
• the type of data that was involved in the breach, and
• steps they should take to minimise harm.
What should APP entities do now to prepare?
Leading up to February 2018, APP entities should prepare to ensure they are compliant with the Scheme to avoid penalties. This requires the establishment of up-to-date information security policies and practices.
Entities can do this by:
• Reviewing existing policies and practices for data collection, handling and breach response in light of the scheme’s requirements;
• Strengthening online security strategies to avoid breaches; and
• Educating staff on emergency response, mitigation and notification procedures in the event of a data breach.
Complying with privacy regulation not only reduces your risk, it also promotes a trustworthy and reliable business reputation and a healthy customer base.