Do you store personal information on your customers? Then keep reading because the law is changing.
A lot of personal information, such as addresses, birth dates and bank details, is collected by businesses about customers and stored online.
Sometimes this information is released publicly by accident or as a result of poor security. For example, computer systems can be hacked and personal information stolen. We saw an example of poor security recently when Uber reported the unauthorised access to the records of over 57 million Uber users and drivers that happened over a year ago.
But new privacy rules aim to better protect people's personal information, by making businesses more accountable if they expose it. If you own a business, this is a prompt for you to take extra steps to protect your business from cyber attacks, and protect the valuable data you hold about your customers.
The Notifiable Data Breaches Scheme started on 22 February 2018 and will mean businesses covered by the Privacy Act must tell someone if their personal data has been involved in a data breach, and this has put them at risk of serious harm.
What is a Notifiable Data Breach?
A data breach happens when personal information held by an organisation is lost, or accessed or disclosed without authorisation. Examples include:
- a device such as a computer or phone containing customers’ personal information is lost or stolen
- a database of customer details is hacked
- personal information is given to the wrong person by mistake.
Not all data breaches will trigger the notification requirements under the new scheme. A Notifiable Data Breach is one that is likely to cause serious harm to the person the information relates to. This could include serious physical, psychological, emotional, financial, or reputational harm.
What do businesses need to tell people affected?
When businesses notify people affected by a Notifiable Data Breach, they will need to include:
- the identity and contact details of the organisation
- a description of the eligible data breach
- the kinds of personal information that has been exposed
- recommendations about the steps they should take in response to the data breach.
Incidents covered by the scheme must be reported to the individual affected and the Office of the Australian Information Commissioner as soon as possible. Penalties of up to $2.1 million exist for companies that do not comply.
Who has to comply?
If you’re a business with an annual turnover of $3 million or more, a private health service provider, or you are already required by the Privacy Act to keep personal information secure, then the new Notifiable Data Breaches scheme will apply to you.
In general, small business operators will not be affected by the new legislation. However, credit reporting bodies and providers, businesses providing services to federal government agencies under contract, those that store tax file numbers, and a few others, will have obligations under the scheme.
How can businesses prepare?
To prepare for the scheme, the OAIC recommends businesses should:
- Review their practices, procedures and systems for securing personal information. It has a comprehensive Guide to securing personal information to help with this.
- Prepare or update their data breach response plan to ensure they are able to respond quickly to suspected data breaches. The OAIC’s Data breach notification — A guide to handling personal information security breaches and Guide to developing a data breach response plan provide a best practice model.
- Ensure good privacy governance and compliance with the Privacy Act. The OAIC’s privacy management framework sets out the steps it expects businesses to take.
The OAIC has published a webcast on how to prepare for the Notifiable Data Breaches Scheme. It covers the key requirements of the scheme and frequently asked questions. You can also get information on the OAIC’s Notifiable Data Breaches scheme webpage.
We’ll bring you more information on the new data breach scheme as we get closer to the start date of 22 February.