In today’s world where masses of information is collected, stored and transmitted every minute of every day, the protection of people’s privacy is more vital than ever. This is especially the case when you consider the ways in which cyber security and data breaches can impact on an individual.
As an example, identity crime is one of the most prevalent types of crime in Australia, costing the country around $2.2 billion per year, according to the Federal Attorney General’s Department. It can result in all kinds of harm to the individuals affected – including financial and personal. It may also cause reputational and financial damage to organisations impacted by the crime.
In light of this, the Australian Government has taken steps to tighten the protection of people’s personal information through its new mandatory data breach reporting laws. We recently released information on this which can be read here.
The legislation in a nutshell
The Notifiable Data Breaches (NDB) scheme will come into affect on February 22, 2018. It will apply to organisations already responsible for keeping data and information secure under the Privacy Act, and will not be retrospective.
Organisations affected include businesses and not-for-profits with an annual turnover of at least $3 million, as well as Australian Government agencies. The legislation may also apply to some businesses with a turnover under $3 million – such as private sector health service providers, educational institutions, and businesses that sell or purchase personal information.
Failure to comply is considered to be interference with the privacy of an individual. Serious or repeated interferences can result in penalties of up to $1.8 million.
Aim of the Scheme
The aim of the new legislation is to further strengthen privacy protections and improve organisational transparency with regard to data breaches. It will mean that organisations can no longer afford to keep quiet about serious data breaches, and that they will need to report notifiable data breaches to the individuals affected and to the Office of the Australian Information Commissioner (OAIC).
About notifiable data breaches
Many organisations in Australia collect all kinds of personal and sensitive information on indivduals. This may include names, addresses, genders, names of family members, tax file numbers, credit card details, financial information, medical history, personal beliefs and so on. The Privacy Act already stipulates that such information must be protected and kept secure.
When information of this kind is lost, accessed or disclosed without authorisation, a data breach is deemed to have occurred. For example, the personal information of an individual could be inadvertently disclosed online, or a database could suffer a serious cyber attack.
In cases likely to cause serious harm to those affected, a notifiable data breach exists. Organisations responsible to the Privacy Act are under obligation to report such notifiable breaches to the individual impacted and to the OAIC.
What is meant by ‘serious harm’?
If an individual suffers harm such as personal or business financial loss, reputational damage, risk to personal safety, or any other kind of harm whether physical or psychological, then ‘serious harm’ is considered to have occurred.
The organisation concerned is expected to investigate breaches to determine the level of harm likely to be caused, to report any notifiable breaches, and to take steps to prevent further damage occurring. The assessment needs to be completed within 30 days of becoming aware of a breach having occurred.
Why is the legislation needed?
Up until now, there has been a lack of reporting requirements for data breaches. This has meant that organisations could attempt to hide or cover up serious breaches.
According to a number of security experts, the new scheme is a good step forward in strengthening the protection of people’s personal information and in improving organisational transparency.
Requirements of a notification
Once an organisation is aware of a notifiable breach, it needs to notify the relevant parties as soon as practicable. A notification to affected individuals must include the organisation’s identity and contact details, describe the data breach and the types of information involved, and offer assistance to the individuals affected. It should also state if any other parties have been notified – such as the OIAC or the police.
It is important to note that there are exceptions to the obligation to notify. These include instances where an organisation has taken “reasonable” action to minimise the potential for adverse outcomes arising from a breach before any serious harm has been caused.
Next steps to take
Organisations in Australia need to be proactive in managing the personal and sensitive information they collect and protecting people’s privacy. This includes developing a culture of privacy within the organisation, where personal information is treated as an asset to be respected, managed and protected.
Some of the considerations here include the development of company practices and procedures, the use of technology (e.g. encryption), and the appointment of personnel in specific roles for the management of information.
With regard to breaches, your organisation may need to:
- Determine what a breach constitutes within the organisation.
- Appoint a staff member to take responsibility for acting on data breaches.
If a breach occurs, you will need to:
- Determine if it is notifiable – that is, likely to result in serious harm.
- Investigate the degree and level of harm it is likely to cause.
- Notify the individual affected and the OAIC of the breach.
- Notify the police if you suspect a crime has been committed.
It’s also important to review your organisation’s privacy and compliance practices to determine how and why the breach occurred, and to make amendments where necessary to improve privacy protections and prevent a recurrence.
As well as protecting individuals, taking steps to protect personal information is good for business. It reduces the risk of insurance claims, reputational damage, loss of trust and the potential for financial losses.
For more information, see the OAIC website.