As the new Notifiable Data Breach Schemecomes into effect in Australia as of 22 February 2018, there is now an onus on business to protect and notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.
When most people think of data breaches, they think of sneaky virus attacks with employees being tricked into opening files allowing viruses to penetrate servers, but the reality can be much more mundane, plausible and preventable.
And it’s not all about IT systems and cybersecurity. There have been numerous cases of hard copy records being disposed of inappropriately, sensitive data on USBs lost on the way home or machines being disposed of complete with data on the hard disk. (As a side note, did you know that GrassrootsIT offers a service where your decommissioned hardware is disposed of securely?)
Who is covered by the data breach scheme?
The Notifiable Data Breach (NDB) Scheme affects organisations covered by the Privacy Act – that is, organisations with an annual turnover of $3 million or more. But, if your business is ‘related to’ another business covered by the Privacy Act, or deals with health records (including gyms, child care centres, natural health providers, etc.,), or is a credit provider, then your business is also affected.
What do you need to do?
Complying with these new laws means more than ringing the bell and notifying your customers and authorities when a breach occurs. Organisations are required to take all reasonable steps to prevent a breach occurring in the first place. This means putting in place the systems and procedures to identify and assess breaches and issue a notification if a breach is likely to cause ‘serious harm’.
How do you assess your risk?
The Privacy Act already requires organisations to take all reasonable steps to protect personal information. The new data breach laws merely add an additional layer to assess breaches and notify where the breach poses a threat.
- Firstly, consider some of the following questions:
- How does personal information flow into and out of your business?
- What information do you gather?
- What information do you provide?
- Where do you store private information? – What systems do you use, where do these systems store data, what level of security is provided within those systems and what level of access does each team member have (and should they have access for their role)?
- Who in your organisation has access to sensitive information, and not just who is accessing the information for their work but who ‘could’ access this information?
- What are the possible impacts on an individual’s privacy?
- What are the policies and procedures in place to manage private information, including risk management and mitigation, are these adhered to and actively managed?
- Do you have a policy review process, and if so, is it reviewed at least annually, and also with the introduction of new systems and technology? (Remember, you can’t just have a policy sitting somewhere, it needs to be actively reinforced and adopted by team members)
- Protect your business. Document, document, document! If there is ever an issue where your business’ culpability is assessed, your capacity to prove that you took all reasonable steps will be important.
What is your Data Breach Plan?
When it comes to data breaches, all organisations must have a data breach response plan.
The data breach plan covers the:
- Actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the response team.
- Members of your data breach response team (response team), and;
- Actions the response team is expected to take.
Hopefully all the systems you have in place will ensure you don’t need to deal with a data breach, but if it does happen, you will need to notify various parties, including:
- The individuals impacted by the data breach
- The Office of the Australian Information Commissioner
You can notify the Commissioner using this form.
To access the full guide to the Notifiable Data Breach Scheme, you can find it on the OAIC website.
While it’s unknown at this stage what the repercussions will be from a data breach and how the OAIC will police it, it’s important that we get our preparation in place. At the end of the day, making sure we have robust systems to protect the data of our clients should be high on the priority list anyway – this is just another reminder to ensure we have the right policies and procedures in place to back up what we’re already doing.
If you need any assistance assessing the security of your IT systems, contact us today.