The Privacy Amendment (Notifiable Data Breaches (NBD)) Act 2017 came into effect on February 22, 2018.
Australian organisations that meet a certain criteria under the Privacy Act 1988—be they for-profit, not-for-profit, business or government—must comply with this new amendment.
Any unauthorised access to Personal Information must be reported if there is a likelihood of serious harm to the individual who is the subject of the information. The Act requires you to secure data and notify impacted individuals and the Office of the Australian Information Commissioner (OAIC) in the event of an Eligible Data Breach.
The OAIC explains that an Eligible Data Breach occurs when the following criteria are met:
Your reputation as a good steward of stakeholder and customer data is now on the line. It’s more important than ever to ensure that not only your IT personnel, but all staff, have the skills to minimise privacy breaches and correctly manage incidents of compromise.
Any Australian business or organisation to which the Australian Privacy Principles (APP) apply will be required to comply with the new legislation (APP Entity). APP Entities include:
Basically, if your organisation collects any of the following details, you are impacted by the revised Privacy Act:
The first step any organisation covered by this act must do is consider the following 4 points:
In the event of a breach, the OAIC recommends the following four step process:
It’s imperative that you review your data security policies, procedures and systems to ensure you’re protecting the data as best you can and to do so on a regular basis to allow for the evolving threat landscape.
If your organisation suffers or you suspect that your organisation has suffered an Eligible Data breach, it must be reported to the OAIC and the individuals involved. Reporting should occur as soon as possible to minimise the risk of harm. In any event, the investigation of the incident and subsequent reporting should occur within 30 days of the incident.
More information on the mandatory notification obligations can be found here.
The manner of Notification will depend on the nature of the breach and will generally be in the manner that customers usually use to contact the individual, must be secure, and must reasonably continue to protect their privacy.
The statement to the Commission and any notification needs to include the following:
For more information, consult the OAIC website.
Currently, there are two classes of penalties for failing to adhere to the privacy act:
There are strategies our customers can put in place that will help protect themselves against the threats:
Data#3 has solution experts and consultants that can advise your company on best practices to comply with this legislation, no matter how prepared, or unprepared you might be.
Our solutions include the following:
To discuss how Data#3’s Security team can assist you, please complete the form below.
The information on this page is intended for general purposes only. In the event you suspect unauthorised access to personal information, Data#3 recommends you seek independent legal advice.