New Data Breach Legislation: Are You Ready?

20 August 2017 by Jean Boyd

A significant change to Australia’s data security legislation is heading our way in 2018. Here’s a quick rundown on what you need to know and do to prepare.

What’s the change?

A mandatory data breach notification scheme is being introduced that requires businesses and government agencies to notify the Privacy Commissioner and customers if there is a data breach.

Who needs to comply?

Any organisation governed by the Privacy Act. This excludes state government organisations, local councils and organisations with a turnover of less than $3 million per year.

What is an eligible data breach?

According to the official website:

  • Any data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
  • A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Examples of a data breach include when:

  • a device containing customers’ personal information is lost or stolen
  • a database containing personal information is hacked
  • personal information is mistakenly provided to the wrong person.

What action must be taken if there is a breach?

If a suspected data breach occurs, you must undertake an assessment within 30 days. If it is determined to be a breach, you must notify the Privacy Commissioner and affected individuals about the breach, including your company’s name and contact details, a description of the breach, the kinds of information involved, and recommended actions those affected should take to protect themselves.

What happens if I don’t comply?

The penalties for failure to notify include fines of $360,000 for individuals and $1.8 million for organisations.

What should I do to prepare?

If you’re not already serious about data security, now is the time. Preparation may include:

  • Reviewing your practices, procedures and systems for securing personal information.
  • Reviewing the security measures of your partners and suppliers, including those involved in outsourced IT asset management services.
  • Update or create a data breach response plan so that you can respond quickly, effectively, and in full compliance.
  • Educate staff and create a culture of data security and protection. It’s no longer just an IT responsibility, but affects many departments and employees, such as those in marketing.
  • Take expert advice, including from legal advisors, on the suitability of your employment and business contracts and NDAs.

And finally, when you are disposing of end-of-life IT assets, make sure you work with a supplier like Greenbox who has the highest security measure in place, along with a full understanding of the new legislation.