In February 2018 an amendment to the Privacy Act will come into effect and all Australian businesses should understand how this may affect them. At The Code Company have worked through this amendment and are here to assist our clients in understanding how this change will impact them and their client’s data security.
The [Privacy Amendment (Notifiable Data Breaches) Bill] means any organisations with an annual turnover of greater than $3 million AUD will be required to notify the Office of the Australian Information Commissioner (OAIC) AND any potentially affected individuals of an ‘eligible’ data breach. There are two important things to know before we move on to defining what constitutes an ‘Eligible Data Breach’.
Firstly, if you or your organisation has reason to suspect an eligible data breach has occurred, the amendment requires the organisation to perform a swift and diligent assessment of this breach – within 30 days. Secondly, failure to comply with obligatory notifications can result in fines of:
The OAIC will need to be notified if:
For clarity’s sake, below are examples of a potential breach where a notification to the OAIC would be required:
In light of the amended act there are some suggested steps that could be taken.
Develop an incident response plan.
This will ensure the right steps are taken if there is a suspected breach.
Perform an audit of potential risks and threats to your clients personal information and take step to mitigate any identified risks.
An example of a risk may be storing exported customer data on a shared google drive and inadvertently providing access to this drive to a person or persons who may not be authorised to access such data.
Perform an assessment of IT infrastructure to determine and existing breaches or risks and continue to perform these at regular intervals as required.
This is best done with your development partner or internal teams and any technology vendors (such as managed services providers / hosting companies).