Whilst this topic can keep any prudent business owner up at night (if they don’t have proper IT protections), new legislation came into play on 22 February 2018 which should keep us all up at night if we don’t put the proper protections in place.
The Privacy Act (the “Act”) was amended on 22 February 2018 to introduce new requirements for businesses (and anyone really who is caught by the Act) to notify the Australian Information Commission if they have an ‘eligible data breach’. A failure to notify can result in crippling fines.
Subject to some exceptions, all Australian Government Agencies, all businesses and not-for-profit organisations with an annual turnover of more than $3million have responsibilities under the Privacy Act and are required to notify of an eligible data breach.
Some small business operators are also covered in certain circumstances (and these circumstances are wide and varying). Therefore, we strongly recommend you get legal advice if you are not sure whether the Privacy Act and these new provisions apply to you or not.
The legislation defines this to be any unauthorised access to information, or loss of information, where the information involved is such that a reasonable person would conclude that access is likely to result in serious harm to any of the individuals to whom the information relates.
Although this definition is wide, and may be open to interpretation, the message is clear; where you hold personal information, you must take measures to secure that information.
We strongly advise firstly to do everything possible to secure your data, and then seek legal advice.
If you are required to comply with the notification requirements, a statement must be prepared and sent to the Commission, and you are required to notify the client/customer/people involved that their private information has been compromised.
Whilst there are some exceptions to the requirement to notify the Commission, these are limited. We recommend treading very carefully if you wish to rely on any exception.
If you fail to notify the Commission, this is considered to be an interference with the privacy of the individual(s) involved and you can be liable to significant fines, up to $2.1 million.
Whilst we may not be IT whizzes, there are some simple preventative actions which we recommend;
Prevention is always better than a cure. We strongly recommend –
If you are not sure whether this legislation applies to you or if you find yourself in a situation where data is compromised, don’t hesitate to contact our team.