Data Breach Laws for Business
As from the 22nd February 2018, all organisations in Australia that are regulated by the Privacy act 1988 are subject to the requirements of the act covering a data breach. An organisation is required to notify any individuals likely to be at risk of ‘serious harm” because of a data breach, together with the Privacy Commissioner.
In understanding an organisations requirement it is highly recommended that an organisation seeks legal advice and guidance from the Australian Government Office of the Australian Information Commissioner website
Which data breaches require notification?
The criteria is based around the term “likely to cause serious harm.” A breach occurs when personal information is held by an organisation is lost or subjected to unauthorised access or disclosure.
- A device that is lost or stolen and contains customers personal information
- The hacking of your databases that contain personal information
- Where personal information is supplied mistakenly to the wrong person
If your organisation turns over 3 million then you have obligations under this act. This threshold applies to all types of organisations including Not for profit.
Note there are exceptions to the 3 million criteria and an organisation needs to seek advice as to whether they are coved by the act. If you do not turn over 3 million it does not mean you’re exempt as The Office of the Australian Information Commissioner website highlights some of the following exceptions to the 3 million threshold:
- Entities that provide health services
- Entities that trade in personal information
- Credit reporting bodies
- Employee associations registered under fair work
The above list is not exhaustive.
Assessing a data breach
- If an entity has reasonable grounds to believe that it has experienced an eligible data breach, it must promptly notify individuals and the Commissioner about the breach, unless an exception applies
- In contrast, if an entity suspects that it may have experienced an eligible data breach, it must quickly assess the situation to decide whether or not there has been an eligible data breach
- An assessment must be reasonable and expeditious, and entities may develop their own procedures for assessing a suspected data breach.
For example, misplacing a computer or a USB stick that contains personal information where the device can be recovered by a third party would almost certainly be an eligible data breach. (source www.rk.com.au/insights/australias -new-data-breach-notification-law-what-does-it-mean-for-you/)
What are the 4 key steps if data breach occurs?
They following information is sourced from the Office Australian information Commissioner website
Contain the data breach to prevent any further compromise of personal information
Assess gather the facts and evaluating the risks including potential harm to affected individuals and where possible taking remediate any risk of harm
Notify the individuals and the commissioner as required by the act.
Review the incident identify and consider the actions that can be taken to prevent future breaches.
Do you need a response plan?
In short it is good business practice for an organisation to have a response plan. The plan is a framework that sets out the roles and responsibilities involved in managing a data breach. It also outlines in a descriptive format of the steps an entity will take if a data breach occurs.
Your data breach response plan should be in writing to ensure that your staff clearly understand what needs to happen in the event of a data breach. It is also important for staff to be aware of where they can access the data breach response plan on short notice.
You will need to regularly review and test your plan to make sure it is up to date and that your staff know what actions they are expected to take. You can test your plan by, for example, responding to a hypothetical data breach and reviewing how your response could be made more effective.
A checklist of what the plan should cover is located at www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response
Use this list to check whether your response plan addresses relevant issues.
Information to be included
What a data breach is and how staff can identify one Yes/No
Clear escalation procedures and reporting lines for suspected data breaches Yes/No
Members of the data breach response team, including roles, reporting lines and responsibilities Yes/No
Details of any external expertise that should be engaged in particular circumstances Yes/No
How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions Yes/No
An approach for conducting assessments Yes/No
Processes that outline when and how individuals are notified Yes/No
Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted Yes/No
Processes for responding to incidents that involve another entity Yes/No
A record-keeping policy to ensure that breaches are documented Yes/No
Requirements under agreements with third parties such as insurance policies or service agreements Yes/No
A strategy identifying and addressing any weaknesses in data handling that contributed to the breach Yes/No
Regular reviewing and testing of the plan Yes/No
A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan Yes/No
This is a complex and confusing area of the law and all businesses should read widely and seek advice from the appropriate qualified personnel your legal representative.
Where does Computer Troubleshooters help you? We offer a range of services that are aimed at minimizing the risk associated with your organisation being impacted by a data breach. For more information contact your local Computer Troubleshooter on 1300 28 28 78.