Whilst this topic can keep any prudent business owner up at night (if they don’t have proper IT protections), new legislation came into play on 22 February 2018 which should keep us all up at night if we don’t put the proper protections in place.
The Privacy Act (the “Act”) was amended on 22 February 2018 to introduce new requirements for businesses (and anyone really who is caught by the Act) to notify the Australian Information Commission if they have an ‘eligible data breach’. A failure to notify can result in crippling fines.
Who do the changes apply to?
Subject to some exceptions, all Australian Government Agencies, all businesses and not-for-profit organisations with an annual turnover of more than $3million have responsibilities under the Privacy Act and are required to notify of an eligible data breach.
Some small business operators are also covered in certain circumstances (and these circumstances are wide and varying). Therefore, we strongly recommend you get legal advice if you are not sure whether the Privacy Act and these new provisions apply to you or not.
What is an eligible data breach?
The legislation defines this to be any unauthorised access to information, or loss of information, where the information involved is such that a reasonable person would conclude that access is likely to result in serious harm to any of the individuals to whom the information relates.
Although this definition is wide, and may be open to interpretation, the message is clear; where you hold personal information, you must take measures to secure that information.
What must I do if I have an eligible data breach?
We strongly advise firstly to do everything possible to secure your data, and then seek legal advice.
If you are required to comply with the notification requirements, a statement must be prepared and sent to the Commission, and you are required to notify the client/customer/people involved that their private information has been compromised.
Do I really have to notify the Commission?
Whilst there are some exceptions to the requirement to notify the Commission, these are limited. We recommend treading very carefully if you wish to rely on any exception.
If you fail to notify the Commission, this is considered to be an interference with the privacy of the individual(s) involved and you can be liable to significant fines, up to $2.1 million.
What should I do now?
Whilst we may not be IT whizzes, there are some simple preventative actions which we recommend;
- Complete and implement detailed and robust data security procedures;
- Conduct regular training of staff in your data security procedures; and
- Ensure electronic devices such as phones and laptops can be externally wiped (to ensure no data breach can occur from lost or stolen devices).
Prevention is always better than a cure. We strongly recommend –
- reviewing your data security procedures (or putting one in place if you haven’t got one already);
- reviewing practices within your business to identify and minimise situations where data breaches could arise; and
- consulting with IT experts to minimise the risk of you committing a breach.
If you are not sure whether this legislation applies to you or if you find yourself in a situation where data is compromised, don’t hesitate to contact our team.