How businesses should prepare for Australia’s new mandatory data breach notification laws
Australia, like other countries, has not been immune to data breaches in which personal information has been exposed. The much-anticipated Privacy Amendment (Notifiable Data Breaches) Bill 2016, whereby organisations will be legally obliged to disclose data breaches, has been passed by the Australian Federal Government, and the laws will come into effect within the next 12 months. The bill applies to all Australian government agencies, businesses, and not-for-profit organisations governed by the Privacy Act with an annual turnover of more than $3 million, with some exceptions. Some small business operators (organisations with a turnover of $3 million or less) are covered by the Privacy Act, including:
- Private sector health service providers. Organisations providing a health service include:
- Traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals.
- Complementary therapists, such as naturopaths and chiropractors.
- Gyms and weight-loss clinics.
- Child care centres, private schools and private tertiary educational institutions.
- Businesses that sell or purchase personal information; consumer credit reporting information, including credit reporting bodies, credit providers (which includes energy and water utilities and telecommunication providers) and tax file numbers; and certain other third parties.
Once the mandatory data breach notification scheme comes into force, organisations will need to report any 'eligible' data breaches to the Australian Privacy and Information Commissioner, and notify customers that may have been affected as soon as possible. The government classifies a data breach as an instance where there has been "unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure". It qualifies as an "eligible data breach" when there is a likelihood that the individuals who are affected by the incident are at "risk of serious harm" because their information have been exposed. When contacting the Australian Privacy and Information Commissioner about affected customers, businesses must include a description of the data breach, what kind of information has been compromised, and the steps that individuals can take to respond and protect themselves due to the incident. What if I don't comply? Failure to comply with the new notification scheme will be "deemed to be an interference with the privacy of an individual" and there will be consequences. A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate. (4) What actions should I take now? If your organisation has been lax with data security policies, this is a wake-up call that the government is taking data breaches more seriously. Every organisation should begin to:
- Review your data collection practices and policies, internal data-handling, and data-breach policies to reflect the new requirements and ensure personal information is collected and stored only when needed.
- Audit how you are holding data and whether any sits with third parties (for example, in the cloud) on your organisation's behalf.
- Strengthen your cybersecurity defences. Visibility is key. This means reviewing your cybersecurity strategies and practices to ensure that steps are in place to avoid data breaches or you have outlined ways to reduce administrative errors, which could lead to a breach. For example:
- Who has access to the data and do they need access to the data? Reducing or limiting access reduces the possibility of anyone inadvertently leaking the data or a cyber criminal getting access to data.
- For sensitive data, think of how it could be shared. Is there the right governance in place to prevent someone from sharing or breaking a business process? Many times a process needs to be updated to ensure there is a balance between the risk and productivity.
Now is the time to sit down, have these conversations, and look at how you're protecting customer data and whether your security practices are adequate. For organisations that have been reluctant to invest in information security practices, this legislation alone should not be the primary driver to protect your organisation and, ultimately, your customers' data. As a priority, every organisation should continually review its data security to ensure that no customer data is unwittingly compromised. You should look at using a risk-based methodology for managing privacy and not wait for the law to come into effect, as the time to act is now.