Australia protects and regulates privacy rights across all its federal, state, and territory laws. Federal Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles (APPs) apply to companies in Australia with an annual turnover or more than $3 million and some other businesses such health service providers or credit reporting bodies (among others).
Entities who comply with mandatory APP obligations in connection herewith under the privacy act must comply with mandatory reports requirements under the mandatory data breaches notification regime.
The plan also forces organisations to determine if a breach was applicable within 90 calendar days. A recent review concluded that companies should establish contractual arrangements that must include detailed disclosures to cybersecurity vendors.
Key Lessons From Australia’s Notifiable Data Breaches Scheme
Almost all data breaches have been reported since the introduction of the Notification of Data Breach Act 2004. This scheme lasted about a year.
An independent database has identified 812 data breaches from February 22 2018 to December 31, 2018. Companies must update the coverage annually to ensure that potential risks are addressed by the policies.
When preparing to respond to data breaches, a comprehensive assessment of the IT infrastructure is needed. It is beneficial to have executives go through a tabletop scenario where potential cyber risks and cyber attack consequences are discussed for a better understanding. Human factors can not be ignored for the minimisation of the risk of human vulnerability.
What Is a Notifiable Data Breach
Australia’s data breach bill outlines the Privacy Act 1988 and requires public and private companies to notify the affected people and the OAIC (Office of the Australian Information Commissioner) when a data breach involving personal information is likely to result in serious harm.
The bill provides for a better relationship between Australia and other jurisdictions that require notification of data breaches. Lack of compliance may be the cause of a complaint made to the OAIC and a probe of the business if uncovered.
Who Must Comply With the NDB Scheme
- Australian Government agencies.
- Credit card providers in Australia e.g. banks issuing credit cards.
- Organisations in the private sector. These may be a body corporate, individuals, unincorporated associations that are built in Australia, those that are conducting their business and operations in Australia locations or taking and collecting individual personal or sensitive information of people living in Australia.
Entities that reveal personal and sensitive information to recipients outside Australia and it is in the Australian Privacy will be taken as the legitimate holder of the collected information.
This will make it be required to give a notification to the information security commissioner and the individuals affected if the data collected has experienced any eligible data breach
Notification of Data Breaches
The privacy act requires certain entities to alert individuals and the Commissioner regarding information breaches where there is reasonable evidence to believe there may be a significant injury. Under the terms and conditions of section 848(3) of the Privacy Act, the new national database was first introduced on 22 February 2018.
An organisation or agency can warn you about a breach by email or fax. If any organisation in the world doesn’t reach all it needs to post the notification on its website.
In addition, they have to promote that warning through Twitter news posts or advertisements to inform why you got a breach alert.
Collection and Processing of Personal Information
All companies and businesses in Australia need to note that they should not collect personal information or consumer data like contact details unless that information is necessary for the business activities or functions.
The organisations should also take the required steps to ensure the collected information is up to date and protected.
Before or at the time the organisations collect the personal information or soon afterward, they should take some steps to provide the people with notice of:
- The organisation’s contact information or its identity.
- If at all the organisation will be sharing the information, and if yes, to whom.
- Why the organisation is collecting the personal information and how it will use that information.
- State if there is any law that requires personal information collection.
- The consequence, if any, that the individual may face if they don’t provide all or part of the required information.
- The privacy policy of the organisation should also give information on how the individual whom the information was collected may access the information, make any corrections, or even make a complaint about any breach of the APPs. It should also include the steps that will be taken in dealing with such complaints.
- If the organisation is likely to disclose the individual personal information to other overseas clients and recipients. If this is the case, the organisation should provide details about where the recipient is most likely to be located.
To show compliance with such notification requirements, organisations often include such information in the privacy policy. They then require the individuals to accept the terms of the policy before collecting any personal information.
Important Takeaways
Following the start of Australia’s mandatory notifiable data breach scheme, we should note that;
- There will be reputational damage to those entities which are related to the publication of eligible data breaches. There will also be an increase in litigation which is related to the significant breaches.
- We should expect a higher number of those announced data breaches after the commencement of Australia’s breach notification requirement which insists that data handlers should notify affected individuals.
- If an entity suspects that a breach has taken place, but they are not sure if it is under an eligible data breach, that entity should do assessments to determine the nature of the suspected data breach within or under 30 days. This will ensure the situation is resolved in a timely manner.
- It is required that all entities reduce the likelihood of any data breaches and if a data breach occurs, they should have the right breach notifications of the affected individuals and the personal information involved.
- Entities should note that the presence or absence of data breaches that result in serious harm is imperative.
A data breach occurs when individual personal information that is held by an organisation is subject to misuse, loss, modification, unauthorised access, or disclosure. There are different types of data breaches and each has unwanted consequences like reputational damage or financial loss.
The Notifiable Data Breach Scheme within the privacy act requires some entities to notify the Commissioner and individuals about data breaches that are likely to bring about serious harm to the individual involved.
The NDB scheme covers different entities that have access to personal information. Small business operators are also included in this scheme. Your small business should take note of the NDB scheme and ensure it is a complaint to all requirements.
Data privacy is an important aspect of cybersecurity. You should follow all regulations imposed on data and information not only for compliance purposes but also for protection against cyber breaches and unwanted cyber incidents.
How cyber-secure is your business? Find out with our free cybersecurity health check.
It’s a 30-minute Zoom call that walks through a checklist to assess your current cybersecurity levels and provide a short report with some advice and recommendations.