Introduction and Housekeeping
Caroline Snow:
Before we begin, a couple of housekeeping items.
You will receive the recording and slides in your email following this session. You can submit your questions in the Q&A box, and we’ll try to answer as many as we can at the end of this meeting.
Please complete the feedback survey at the end of this webinar, and stay until the end. You’ll be able to enter the draw to win a pair of Apple AirPods as part of our monthly draw.
By viewing this webinar, you qualify to receive a complimentary consultation with LegalVision to discuss how we can help your business. To claim this, all you need to do is leave your contact details in the survey that appears at the end of the webinar, or contact us via our website.
This factsheet explains what a data breach is and when one is serious, your reporting obligations, and limiting an NDB’s impact.
What This Webinar Covers
Caroline Snow:
Today, we will be chatting about data breaches and privacy. Specifically, what the law requires you to do, what this looks like in practice, the consequences of not getting it right, and what to do to reduce your risks.
I’ll start by giving you a general introduction.
Why Data Breaches Are a Critical Business Risk
Caroline Snow:
It seems like every week we’re hearing about another major cyber security issue or attack in the news, ranging from the Optus data breach that affected millions of Australians to ransomware attacks targeting small local businesses.
Data breaches aren’t just a headline issue anymore. They’re a critical business risk that affects companies of all sizes across different industries.
Privacy and data protection experts and leaders are advising that it’s not a question of if your organisation will be involved in a data breach, but more a question of when.
So it’s crucial to ensure you understand your legal obligations, as well as the operational requirements when navigating this space, and how to minimise your risk. In the worst-case scenario, if something does go wrong, it’s important to understand what you can do to prevent further legal exposure and protect your brand and reputation.
Today, we’re going to try to cut through some of the complexity in this space and break it down into simple steps you can take from a legal and practical perspective. This will help you prevent a data breach from happening and understand what to do if the worst case arises and your business is subject to a data breach.
The Legal Framework for Data Protection in Australia
Caroline Snow:
So, to that point, what are the applicable laws in this space?
The main legislation in Australia is the Privacy Act, and within the Privacy Act are the Australian Privacy Principles, often referred to as the APPs. The APPs set out how businesses can collect, manage, and store personal information.
The APPs apply to what’s called an APP entity. An APP entity is any organisation that had an annual turnover in the previous financial year of more than $3 million. It can also include businesses that contract with certain Commonwealth entities, businesses that trade in personal information, meaning they disclose personal information about an individual for a benefit, service, or advantage, and businesses that provide a health service and hold health information other than in an employment record.
These criteria are fairly broad and cover a large number of Australian businesses.
The annual turnover threshold of $3 million is what is commonly referred to as the small business exception. If a business has an annual turnover below $3 million, it may currently fall outside the scope of the APPs.
However, this is likely to change. In 2023, the government completed a review of the Privacy Act and tentatively agreed to implement up to 38 changes to the legislation. Tranche 1 has already been implemented, and we are waiting for Tranche 2 to commence. There is no confirmed start date yet.
One of the proposed changes is the removal of the small business exception. If this change is implemented, the turnover threshold will no longer apply, and significantly more businesses will be subject to the Privacy Act and the APPs.
That means businesses that previously did not have obligations under the Privacy Act may soon be required to comply.
In addition to the Privacy Act, there is also the Notifiable Data Breaches scheme, which sits within the Privacy Act. This scheme requires organisations to notify affected individuals and the Office of the Australian Information Commissioner where a data breach is likely to result in serious harm.
We’ll go into more detail about what constitutes a notifiable data breach later in the webinar.
At this point, I’ll hand over to Christopher to talk about what a data breach actually is and what this looks like in practice.
What Is a Data Breach in Practice?
Christopher Parker:
Thanks, Caroline.
When we talk about data breaches, we’re really talking about unauthorised access to, disclosure of, or loss of personal information held by an organisation. That can happen in a number of ways.
It might be a cyber attack, such as a phishing attack, ransomware, or malware. It could also be something more human-based, such as sending an email with personal information to the wrong recipient, losing a laptop or USB containing personal data, or an employee accessing information they shouldn’t have access to.
Importantly, a data breach doesn’t need to involve hacking or sophisticated cyber crime. Many data breaches arise from simple mistakes or internal processes not being followed.
Personal information is broadly defined under the Privacy Act and includes information or opinions about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not, and whether it’s recorded in a material form or not.
That means names, email addresses, phone numbers, addresses, dates of birth, and financial information can all be personal information. Sensitive information, such as health information, biometric data, and information about racial or ethnic origin, attracts a higher level of protection.
From a practical perspective, organisations should be thinking about where they store personal information, who has access to it, and how it’s protected. This includes electronic systems, cloud-based storage, physical files, and informal records.
One of the key issues we see is that businesses often collect more personal information than they actually need. Holding unnecessary data increases your exposure and risk in the event of a data breach.
Another common issue is a lack of clear internal policies and training. Employees are often the first line of defence, and without adequate training, they may inadvertently create risks for the business.
Responding to a Data Breach
Christopher Parker:
If a data breach does occur, the first step is to contain it. That might involve shutting down systems, changing passwords, or disabling access.
The next step is to assess the breach, including what information was involved, who was affected, and whether serious harm is likely.
If serious harm is likely, the organisation will have notification obligations under the Notifiable Data Breaches scheme. This includes notifying affected individuals and the regulator as soon as practicable.
Failing to comply with these obligations can result in significant regulatory consequences, including investigations, enforcement action, and substantial penalties.
It can also have reputational consequences, particularly where customers feel their information has not been handled appropriately.
From a preventative perspective, businesses should be focusing on reasonable steps to protect personal information. This includes technical measures such as security software and access controls, as well as organisational measures such as policies, procedures, and staff training.
I’ll now hand back to Caroline to talk about practical steps businesses can take to reduce their risks.
Practical Steps to Reduce Data Breach Risk
Caroline Snow:
Thanks, Christopher.
From a practical perspective, there are several steps businesses can take to reduce the risk of a data breach.
The first is understanding what personal information you collect and why you collect it. You should only collect personal information that is reasonably necessary for your business activities.
You should also review how long you retain personal information and ensure you securely destroy or de-identify information that is no longer needed.
Having clear privacy policies and internal procedures is also critical. These documents should reflect what you actually do in practice and should be reviewed regularly.
Training staff is another key component. Employees should understand their privacy obligations and how to identify and respond to potential data breaches.
Finally, having a data breach response plan in place can make a significant difference if something does go wrong. A clear plan allows your business to act quickly and consistently, reducing legal, operational, and reputational risks.
We appreciate your feedback – your submission has been successfully received.
