On February 23, 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 will come into effect. This new security law requires all businesses in Australia to notify the Office of the Australian Information Commissioner and any impacted clients about significant data breaches.
The law covers most businesses with an annual turnover of at least $3 million. This includes government agencies, and smaller organisations that handle critical data. If you handle personal information, you are required to secure it and establish a standard plan to notify affected individuals in the event of a data breach.
If your organisation collects any of the following, the revised Privacy Act affects you:
1. Credit reporting or building data
2. Personally identifiable information
3. Tax data
Most Australian companies are already taking steps to ensure they comply with this new act, and their industry standard security initiatives.
Even if you are already taking data privacy seriously, it is a good idea to review your current policies against new regulations. By proactively developing and implementing a data breach contingency plan, you can mitigate the risk of legal action and diminished brand reputation.
We have summarised the following steps to ensure you are protected. We advise you to speak to your legal team and IT provider to make sure you are covered.
1. Identify your at-risk data
Perform an audit to determine what data your company intentionally or inadvertently collects on your clients and customers. Carefully consider if the data is necessary to carry out your business operations, and minimise the actual amount of data collected. Make certain you are using the most effective security applications and technology to encrypt and secure the relevant personally identifiable information.
2. Develop a compliant response plan
There should be 4 components of your response plan:
1. Identify and close security holes
2. Notify government agencies and impacted individuals
3. Train staff to prevent another breach (in the case of human-error). There should be a stated plan with an aggressive timeline to ensure rapid notification.
4. Include all third-party service providers that have access to your data in this process. You can mitigate some of the inherent risks this creates by making certain everyone is on board with the stated plan.
When do you notify the Office of the Australian Information Commissioner and your customers?
According to the new legislation, “where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals”.
If an organisation covered by the regime “is aware that there are reasonable grounds to suspect that there may have been an eligible data breach” it must take reasonable steps to complete within 30 days a “reasonable and expeditious assessment” of whether there has been a breach.
If there are reasonable grounds to believe there has been an eligible data breach, the organisation must prepare a statement detailing the breach and give a copy to the Australian Information Commissioner. Notify any affected individuals “as soon as practicable”.
Your notification will generally be in the manner that you usually use to contact the individual, as long as it is secure and protects their privacy. The notification needs to include the comprised information, the situation, what your client should do and your contact details.
3. Train your staff
Your employees should be trained to deal with data breach notification and prevention. Your communication team should also be involved when talking to the media. Schedule drills covering a variety of scenarios and use the results to further refine your initial plan. The best notification arrangements are those that can be handled by muscle memory.
For more information please visit:
- Office of the Australian Information Commissioner, Data Breach Notification: A guide to handling personal information security breaches.
- Privacy Amendment (Notifiable Data Breaches) Bill 2016 Explanatory Memorandum, available here.
How we can help?
If you are stuck and need some help, we can provide you with a Privacy Amendment (Notification Breaches) Analysis and Remediation Consultation. Express your interest in our professional services.