Whilst this topic can keep any prudent business owner up at night (if they don’t have proper IT protections), new legislation came into play on 22 February 2018 which should keep us all up at night if we don’t put the proper protections in place.
The Privacy Act (the “Act”) was amended on 22 February 2018 to introduce new requirements for businesses (and anyone really who is caught by the Act) to notify the Australian Information Commission if they have an ‘eligible data breach’. A failure to notify can result in crippling fines.
Who do the changes apply to?
Subject to some exceptions, all Australian Government Agencies, all businesses and not-for-profit organisations with an annual turnover of more than $3million have responsibilities under the Privacy Act and are required to notify of an eligible data breach.
Some small business operators are also covered in certain circumstances (and these circumstances are wide and varying). Therefore, we strongly recommend you get legal advice if you are not sure whether the Privacy Act and these new provisions apply to you or not.
What is an eligible data breach?
The legislation defines this to be any unauthorised access to information, or loss of information, where the information involved is such that a reasonable person would conclude that access is likely to result in serious harm to any of the individuals to whom the information relates.
Although this definition is wide, and may be open to interpretation, the message is clear; where you hold personal information, you must take measures to secure that information.
What must I do if I have an eligible data breach?
We strongly advise firstly to do everything possible to secure your data, and then seek legal advice.
If you are required to comply with the notification requirements, a statement must be prepared and sent to the Commission, and you are required to notify the client/customer/people involved that their private information has been compromised.
Do I really have to notify the Commission?
Whilst there are some exceptions to the requirement to notify the Commission, these are limited. We recommend treading very carefully if you wish to rely on any exception.
If you fail to notify the Commission, this is considered to be an interference with the privacy of the individual(s) involved and you can be liable to significant fines, up to $2.1 million.
What should I do now?
Whilst we may not be IT whizzes, there are some simple preventative actions which we recommend;
- Complete and implement detailed and robust data security procedures;
- Conduct regular training of staff in your data security procedures; and
- Ensure electronic devices such as phones and laptops can be externally wiped (to ensure no data breach can occur from lost or stolen devices).
Prevention is always better than a cure. We strongly recommend –
- reviewing your data security procedures (or putting one in place if you haven’t got one already);
- reviewing practices within your business to identify and minimise situations where data breaches could arise; and
- consulting with IT experts to minimise the risk of you committing a breach.
If you are not sure whether this legislation applies to you or if you find yourself in a situation where data is compromised, don’t hesitate to contact our team.
The information provided in this article is for general information and educative purposes in summary form on legal topics which is current at the time it is published. The content does not constitute legal advice or recommendations and should not be relied upon as such. Whilst every care has been taken in the preparation of this article, FC Lawyers cannot accept responsibility for any errors, including those caused by negligence, in the material. We make no representations, statements or warranties about the accuracy or completeness of the information and you should not rely on it. You are advised to make your own independent inquiries regarding the accuracy of any information provided on this website. FC Lawyers does not guarantee, and accepts no legal responsibility whatsoever arising from or in connection to the accuracy, reliability, currency, correctness or completeness of any material contained in this article. Links to third party websites or articles does not constitute any endorsement or approval of those sites or the owners of those sites. Nothing in this article should be construed as granting any licence or right for you to use that content. You should consult the third party’s terms and conditions of use in relation to any third-party content. FC Lawyers disclaims all responsibility and all liability (including liability for negligence) for all expenses, losses, damages and costs you might incur as a result of the information being inaccurate or incomplete in any way. Appropriate legal advice should always be obtained in actual situations.