As witnessed in the wake of recent attacks, Australian businesses, like those in other countries, have not been exempt from data breaches resulting in the exposure of personal information. Data breaches are not simply restricted to malicious actions, including theft or hacking. Employee errors or failure to follow internal policies and processes can also lead to accidental loss or disclosure of internal data.
From 22 February 2018, organisations will be legally obliged to inform customers of data breaches due to the much-anticipated Privacy Amendment (Notifiable Data Breaches) Act 2017.
All Australian government agencies, businesses, and other organisations covered by the Privacy Act and with a turnover in excess of $3 million will be subject to the Act, with a few exceptions.
A number of businesses that turn over $3 million or less are also covered by the Privacy Act, including:
- Organisations that provide a health service and hold health information (other than in an employee record). Examples of organisations providing a health service include:
- Traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists, and allied health professionals
- Complementary therapists, such as naturopaths and chiropractors
- Gyms and weight loss clinics
- Childcare centres and private schools.
- Businesses that sell or purchase personal information, such as consumer credit reporting information, including credit reporting bodies, credit providers (including energy and water utilities and telecommunication providers) and tax file numbers; as well as certain other third parties.
Once enforced, the Notifiable Data Breaches (NDS) scheme will require organisations to ‘notify any individuals likely to be at risk of serious harm’ as well as the Office of the Australian Information Commissioner (OAIC) as soon as practicable when they have reasonable grounds to conclude an eligible data breach has taken place. Legally required, data breach notification is intended to safeguard the impacted party so that they can adopt the measures needed to protect themselves from loss.
This scheme is important as it will enhance the security afforded to individuals’ personal information while increasing transparency in relation to how organisations react to serious data breaches. Further, it will heighten consumer confidence that personal data held by organisations is respected and protected, and lets individuals to take steps to diminish the impact of unauthorised access to and use of personal information.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 deems a data breach has arisen ‘where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.’
A data breach is classified as an ‘eligible data breach’ in instances where there is a likelihood that the affected individuals are at ‘risk of serious harm as a result of the unauthorised access or unauthorised disclosure.’
When contacting the OAIC and affected individuals following an eligible data breach, organisations must include the name and contact details for the organisation, a description of the breach, the kinds of information affected as well as steps that individuals can follow in response.
Failure to comply with the NDS scheme will be ‘deemed to be an interference with the privacy of an individual’, with penalties ranging from less severe sanctions to a civil penalty. Less severe penalties may incorporate public or personal apologies, payments for compensation, or enforceable undertakings.
A civil penalty is only enforceable in the instance of serious or repeated contravention of mandatory notification requirements. Now is the time to act if an organisation hasn’t enforced its security policies. This policy amendment is an indication that the government is dealing with data breaches more seriously than ever before.
To actively protect themselves from data breaches, organisations should:
- Review business practices, producers, and systems surrounding data collection, data handling and data breaches to ensure they follow the requirements of the NDS scheme, and safeguard employees’ personal information by storing only what is needed.
- Complete a Privacy Impact Assessment (PIA) when commencing new projects
- Consider the seven ‘privacy by design’ principles in projects and decisions concerning personal information
- Complete a security risk assessment audit to identify where the business is storing data
- Strengthen cybersecurity defences by reviewing policies and procedures to ensure they are correctly implemented and followed. Outline practices to reduce administrative errors which could result in a data breach.
- For example: Review employees’ access to data and ensure they only have access to data required to complete their job competently. Limiting access to data reduces the possibility of employees negligently disclosing or a cybercriminal obtaining access to the data
- Consider how sensitive data is shared within the organisation and ensure appropriate governance and authentication requirements are in place to stop employees from breaking business policies. Businesses should aim for a balance of risk and productivity when determining each policy.
- Develop a data breach response process which can be enacted if needed.
Organisations must now review their cybersecurity policies including measures surrounding the protection of customer’s information and whether security procedures are adequate. This amendment should not be the fundamental driver to enhance security for those organisations who have been inadequately investing in information protection.
Businesses should prioritise continual reviews of data security so customers’ data is not compromised, and use risk-based methodology for privacy management. Organisations can’t afford to wait for the amendments to be enacted; now is the time to get on the front foot.