News & Technology
Privacy Amendment (Notifiable Data Breaches) Bill
15 August 2017
You may have heard about the recent passing of the Privacy Amendment (Notifiable Data Breaches) Bill 20161. Which establishes protocol for businesses in the event of a data breach.
Many organisations aren’t sure what this exactly means for them and how they can comply with the changed legislation.
In this article we’ll clear the ambiguity and break down exactly what, when, how, where and why you will have to take action and why it’s something you don’t need to worry about too much. As well as what you do need to be aware of.
What is this Bill?
The New legislation essentially puts a mandatory practice in place for businesses with a turnover over 3 million (as well as all healthcare service providers) who experience a data breach2.
The organisation in question must notify the affected parties based on the following;
- An assessment must be completed (no later than 30 days after the organisation has become aware of the breach) which assesses the potential damage that can be generated by the breach.
- If the outcome of the assessment is that serious harm is likely the organisation must then look at steps to remediate the harm.
- If the remedial steps are able to prevent any harm occurring to the affected parties, then the OAIC does not need to be notified.
- If the remedial action is unable to prevent the potential for serious harm occurring to any of the affected parties. Then the data breach must be reported immediately to the affected parties.
What does the Bill Require Businesses to do?
The business must send out a notification to the affected parties which includes;
- Description of the data breach
- Information / data breached
- The appropriate steps to be taken regarding the breach (e.g. Change password).
Who else Requires Notification?
The details of the breach must also be reported to the Privacy Commissioner, who can be reached via;
- Phone: 1300 363 992
- Email: email@example.com
- Website: https://www.oaic.gov.au/about-us/contact-us
However, the OAIC gives some leeway here and state on their website that this must only be completed if there is ’a real risk of serious harm as a result of the of the data breach’. Whether or not the data breach will cause real harm depends on what information is stolen.
What Counts as a Data Breach?
A ‘Data breach’ is defined by OAIC as;
‘…when personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.’ 3
Examples of personal information can include tax file number information, credit reporting, medical details, eligibility information and personal details.
What happens if we fail to report a serious breach?
A fine of up to $360,000 for individuals and $1.8 million for businesses can be handed down to the guilty parties.
When will this legislation become law?
This will take place on 22nd of February 2018.
How to avoid a Data Breach?
The best method to avoid a disastrous data breach (besides having up to date Antivirus) is to educate your employees. Unsuspecting employees represent one of the largest security liabilities to modern organisations (see here).
Skills such as being aware of common malware techniques among cybercriminals, how to spot a suspicious email and knowing not to download content from an unconfirmed source can mean the difference between suffering a data breach and staying safe.
Need a refresher on spotting suspicious email? Click here.
In short: Make sure whoever looks after your IT is aware of the changes and is competent enough to make sure your organisation is diligently protected.
While these new laws do add an additional layer of due diligence, this falls ultimately on Managed Service Businesses such as us, to ensure that when breaches happen, they are correctly reported.
Don’t have a Managed Service Provider? Then this will fall on your IT Manager or whoever in your office handles IT security for your business. If you don’t know who this person is, then either your business doesn’t have one or it’s you (uh oh!). In either case… maybe think about giving us or another managed service provider a call.
Want more information on this topic? Check out the OAIC website below;
Need to Know More?
If you would like to discuss your security concerns and/or readiness for the Data Breach Laws, please get in contact below or call us above to begin.