What happens if you have a data breach? Mandatory notification laws introduced

On 22 February 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect in Australia.

This amendment puts an obligation on businesses to notify affected individuals and the Australian Information Commissioner where personal information is breached that is likely to result in serious harm to the individuals concerned.

Does this apply to my organisation?
It affects any organisation covered by the Privacy Act which is organisations with an annual turnover of or above $3 million. By default it also applies to all Australian Government agencies. The Notifiable Data Breaches scheme also applies where your organisation:

    1. Deals with health records (for example doctors, gyms, child care centres)
    2. Shares personal information about individuals to another party for a benefit, or provides a benefit to get such information
    3. Holds Tax File Numbers
    4. Offers credit or deals with credit information.

This list has been shortened to what is most relevant for our clients, so for full details of the entities covered under the Notifiable Data Breaches Scheme please go to https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/entities-covered-by-the-ndb-scheme.

So what is involved?
The big thing is to be prepared. You need to make sure you are taking every reasonable step possible to prevent a breach. You also need to have systems and procedures in place to identify and assess data breaches. Finally, you need to have a plan for how to respond in the event of a data breach and who must be notified.

What determines if I have taken all reasonable steps to prevent a breach?
The Office of the Australian Information Commissioner has a publication titled “Guide to securing personal information” which provides direction on what are considered reasonable steps to secure information. This can be viewed or downloaded at https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information.

This publication gives you a process to work through to that will ensure you are taking reasonable action to protect data against breaches. Broadly, the process is:

      1 – Consider: Do you really need to collect and store personal information as part of your business activities?
      2 – Plan: How will the personal information be handled and where can you incorporate further protection? What systems do you use and who has access to the data? What level of security do you place over the data?
      3 – Assess: Where are the risks in how you collect, store and handle information? Is this likely to change? How can these risks be minimised?
      4 – Implement: What did you action to manage the privacy risks you identified? Is further action required?
      5 – Destroy: What data do you have that you no longer need? How can I securely destroy or de-identify it?

Working through this process will give you confidence that you have taken reasonable steps to ensure the security of any personal information you have to deal with as a part of your day-to-day operations. Make sure you document all your work through this process and any later reviews or checks you make. Then you have a record showing that you have taken this action.

What is the expected response to a data breach?
Every organisation should have a data breach response plan. This should set out the roles and responsibilities for managing a breach in your organisation and document the action that needs to be taken. This is critical for effective management and data containment in the actual event of a breach.

Details on what should be included in a data breach response plan can be found at https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response#part-2-preparing-a-data-breach-response-plan.

You may find a real life example helpful as well – check out the data breach response plan of the Office of the Australian Information Commissioner themselves at https://www.oaic.gov.au/about-us/our-corporate-information/key-documents/data-breach-response-plan/.

What constitutes a ‘serious breach’ and who must be notified?
This is the key to the whole amendment. It is a ‘serious breach’ that gives rise to the need to notify both the affected individuals and the Australian Information Commissioner. A breach would generally be considered serious if it has the potential to result in physical, psychological, emotional, financial and/or reputational harm. In determining whether to assess a breach as serious you need to think about whether the compromised data could be used for things like identify theft, financial loss, threats to someone’s physical safety, loss of employment, humiliation, reputational damage, workplace bullying or marginalisation.

Regardless of whether a breach is considered ‘serious’, your organisation does need to take “reasonable and expeditious” action whenever a breach is suspected or reported. You have up to 30 days to assess the damage and respond but generally the first 24 hours will be most important to the success of your response.
to see if they have the potential to cause serious harm to the individuals whose information has been compromised

In summary
Data protection is not something you can afford to just leave to your IT team. This is because every point of interaction with personal data poses a risk of that data being compromised – it’s not just the malicious software or hackers that post a threat. In late January 2018 the ABC came into possession of hundreds of highly classified documents from the Australian Cabinet spanning several governments, many of which they chose to publish. These documents are meant to stay secret for at least 20 years. This breach has occurred because some old filing cabinets were sold off without the contents being disposed of first.

You need to have your whole team on-board with your data protection plan and conscious of where the risks are, otherwise it’s only too easy for them to inadvertently compromise it for you.

Keep that data safe.

Thanks for reading.

By Genna Kidd

The information contained on this website has been provided as general advice only.  The contents have been prepared without taking account of your personal objectives, financial situation or needs.  You should, before you make any decision regarding any information, strategies or products mentioned on this website, consult your own financial advisor to consider whether that is appropriate having regard to your own objectives, financial situation and needs.

Looking For A Clear Picture
Of Your Finances?

Focus Accounting and Financial Group offer clarity and insight into your current position, as well as a reliable strategy for future success. For tailored accounting services, business advice, SMSF support and a partnership you can trust, book your free consultation today.


Contact Us