How will Mandatory Data Breach Notifications impact your business?

13th February 2018

By Ben May

In February 2018 an amendment to the Privacy Act will come into effect and all Australian businesses should understand how this may affect them.  At The Code Company have worked through this amendment and are here to assist our clients in understanding how this change will impact them and their client’s data security.

The [Privacy Amendment (Notifiable Data Breaches) Bill] means any organisations with an annual turnover of greater than $3 million AUD will be required to notify the Office of the Australian Information Commissioner (OAIC) AND any potentially affected individuals of an ‘eligible’ data breach. There are two important things to know before we move on to defining what constitutes an ‘Eligible Data Breach’.

Firstly, if you or your organisation has reason to suspect an eligible data breach has occurred, the amendment requires the organisation to perform a swift and diligent assessment of this breach – within 30 days. Secondly, failure to comply with obligatory notifications can result in fines of:

  • $360,000 for individuals
  • $1.8 million for organisations.

So what is an Eligible Data Breach?

The OAIC will need to be notified if:

  • There is unauthorised access to, or unauthorised disclosure of, information OR
  • Information is lost in circumstances where unauthorised access or disclosure is likely to occur AND
  • A reasonable person would conclude that the access or disclosure is likely to result in serious harm to any individuals to which the information relates. (Harm can include physical, psychological, emotional, and financial harm).

For clarity’s sake, below are examples of a potential breach where a notification to the OAIC would be required:

  • where a client’s personal information may have been mistakenly provided to the wrong person or
  • if a database containing personal information has been hacked into.

What are the next steps?

In light of the amended act there are some suggested steps that could be taken.

Develop an incident response plan.

This will ensure the right steps are taken if there is a suspected breach.

Perform an audit of potential risks and threats to your clients personal information and take step to mitigate any identified risks.

An example of a risk may be storing exported customer data on a shared google drive and inadvertently providing access to this drive to a person or persons who may not be authorised to access such data.

Perform an assessment of IT infrastructure to determine and existing breaches or risks and continue to perform these at regular intervals as required.

This is best done with your development partner or internal teams and any technology vendors (such as managed services providers / hosting companies).