The Australian Government has introduced new legislation to protect consumer privacy and personal information by enforcing organisations to be transparent when it comes to data breaches. This is the latest amendment of the Australian Privacy Act 1988 and will be known as the Notifiable Data Breach scheme and will come into effect on the 22nd February 2018.
Who and how does it affect companies today?
It has been mandated that organisations must provide written notification of the accidental disclosure of PI. With organisations moving toward the cloud and mobile channels, the increased risk of information disclosure and fraudulent activity will mean organisations need to employ methods to enhance visibility into the use and outflow of PI throughout their organisation.
So who will this apply to?
- All organisations that are already under the Australian Privacy Act.
- Australian, ACT and Norfolk Island public sector agencies
- Health services providers
- Private sector organisations with an annual turnover of over $3 million
- Some small businesses and non-government organisations
What is deemed a data breach under the NDB scheme?
An organization is only required to notify when a data breach is likely to result in serious harm to the individual who the information is related to. There will be some exceptions which means not all breaches would need to be notified to the individual or commissioner.
What is considered serious harm?
- Identity theft
- Financial loss
- Threat to physical safety
- Threat to emotional wellbeing
- Loss of business or employment opportunities
- Humiliation, damage to reputation or relationships
- Workplace or social bullying
How to notify?
Prepare a statement and give a copy to the Commissioner as soon as you believe there is an eligible breach. It must have the following information:
- Identity and contact details of the entity
- Description of the breach
- The type of information concerned
- Recommendations the individuals should take or what the entity will do
This should be sent directly to the individuals involved. If this is not possible one must publish a statement on their website and take reasonable steps to publicise the contents of the statement.
Steps to take?
- Strengthen data protection
- Develop a culture of privacy
- Strengthen internal procedures and systems with regards to handling personal information
- Ensure you have the correct technology in place to increase data security such as encryption, backups, password management, data loss and restricted access.
If you are concerned about this new legislation and how it may impact your business now is the time to discuss. Vizstone can work with your organisation to provide the right solution for your business ensuring you have the correct technology in place.
For more information check out the following links.
Gemalto – The Australia Privacy Amendment Act 2017
Gemalto – The General Data Protection Regulation
Netskope – https://www.netskope.com/solutions/data-loss-prevention/
