Mandatory Data Breaches

17 May 2018
,
0 Comment

What you need to know

Amendments to the Privacy Act 1988 (Clth) that came into force in February 2018 have created much discussion, particularly in light of the recent Cambridge Analytica data story, and Commonwealth Bank security breach revealed in early May 2018.

If the Privacy Act applies to your organisation, then these amendments also apply. Generally, the Privacy Act applies to organisation with an annual turnover of more than $3 million.

The new regime requires organisations to report any data breach to the Office of the Australian Information Commissioner (OAIC), within very short time frames.

What is a data breach? A data breach occurs when information or data that includes personal information that be able to identify a person is lost or stolen, sent by accident to the wrong person, or hacked.

Importantly, a data breach must be likely to result in serious harm, in order to be notifiable to the OIAC.

Organisations must take swift remedial action once they become aware of a data breach, and such action must form part of their notification to the OAIC. Where there is only a suspicion of a data breach, then the organisation must undertake a thorough assessment in order to satisfy itself of the likelihood of the breach, and any likely harm which may result. Any assessment must be done as soon as practicable, and most certainly within 30 days.

If a breach has occurred, a detailed statement must be provided to the OAIC containing the entity’s contact details, the type of information affected, a detailed description of the breach, and what steps have been undertaken to try to minimise or eradicate any harm.

Serious penalties apply for any breaches, of up to $2.1 million for corporations.

It goes without saying that all organisations will hope it does not happen to them, but the best approach, like with anything, is to be forearmed.

We recommend that all organisations introduce a policy that stipulates how data breaches are to be managed, and have a precedent statement ready to be completed ready to send to the OAIC.

Very helpful information is available on the OAIC website https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response

For Australian companies with a presence in the EU, including by way of internet sales, new regulations come into force on 26 May 2018 (next week!), and must not be ignored, as fines for companies are up to € 20 m.

Important information is available here: https://www.eugdpr.org/

About Post Author

Recent Posts

Start the new working year on the front foot
07 Jan 2019
Privacy update
07 Sep 2018
When your dreams literally crumble
17 May 2018