The Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 is set to come into force this year. Australia’s small and large businesses should now review their policies for both data protection and reporting data breaches as they arise. The government is accepting comment on the Bill until the 4th March 2016.

Cybercrime financially impacts Australia’s economy, with estimated self-reported losses totalling $234 million. Although, the rationale for data breach notification laws aren’t simply financial, and include:

  • The ability to access personal information online and commit identity fraud means that this information should be better protected.
  • Individuals are notified about breaches so they can also take action to protect their personal information.  
  • This notification system and penalties for non-reporting aim to incentivise reporting and encourage businesses to reduce breaches.

Do the Data Breach Notification Laws Apply to Everyone?

The new data breach notification laws don’t apply to every Australian business, but they do apply to any business that is required to comply with the Privacy Act 1988 (Cth) (Privacy Act) and the Privacy Principles.

This includes businesses that have a turnover of more than $3 million and business that use personal information for certain purposes. You can read more about whether you are required to comply with the Privacy Principles in our article, ‘Am I legally required to have a privacy policy?’

What Do the Laws Mean for my Business?

The new laws will introduce reporting around a data breach. Currently, businesses required to comply with the Privacy Act must meet certain requirements around storing and protecting data but aren’t obligated to report a breach. Under the new legislation, you are required to report a breach where there is a real risk of serious harm to an individual. This allows him or her to take then the appropriate steps to protect their data, for example, cancelling their credit card. Including the threshold of serious harm should reduce the level of reports and notifications required. Although, businesses will need to ensure that they are equipped to make such assessments.

What Processes Should I Put in Place?

Businesses that must comply will be required to implement several procedures to notify their customers of each serious breach. The Bill provides a twelve-month grace period so companies have enough time to respond. Some of the changes you may need to consider include:

  • Increasing technical support and investigation teams to identify the individuals affected by a potential breach;
  • Training staff as to the notification procedure and the format required under the Bill;
  • Having a system in place to notify individuals and field complaints or questions if a breach that requires notification occurs; and
  • Reviewing your current systems to ensure that you have identified any weaknesses in your current security and data systems.

Businesses have 30 days to assess whether a breach has occurred which would lead to a serious risk. A serious data breach relates to personal, credit reporting, credit eligibility and tax file number information. The Bill will provide guidance as what factors businesses need to consider in making this decision.

Key Takeaways

Companies, particularly those with a large online presence, or businesses that collect significant amounts of personal data online should review and update their systems now. If you have specific concerns, you should also consider submitting your comments on the Bill.   

***

Questions about the Privacy Act, cyber laws or protecting your business? Ask our IT lawyers on 1300 544 755.

Edith Moss

Ask Edith a Question

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.