Does your organisation have a privacy compliance programme? 2018 has seen a significant escalation in privacy and data protection regulations both in Australia and internationally. These new compliance obligations can be tricky to navigate, but businesses need to ensure they are in line with current privacy laws.
Notifiable Data Breach scheme
On 22 February 2018, the Notifiable Data Breach (NDB) scheme came into effect in Australia. As a result, all Australian organisations subject to the Privacy Act 1988 are required to report serious data breaches.
In the first six weeks of the NDB scheme 63 data breach notifications occurred. This is a significant increase, as only 114 notifications happened in the previous 12 month period. 50% of these breaches were due to human error.
Does the NDB scheme affect my organisation?
You must comply with the NDB scheme if your organisation:
- Is a credit provider
- Keeps tax file numbers (TFN), linking a specific TFN with a particular individual
- Is a credit reporting body
- Is subject to the Australian Privacy Principles in the Privacy Act 1988
- Provides any health services
- Trades in personal information
Follow this link for more details on entities covered by the NDB scheme.
Costs of non-compliance
Under the NDB scheme organisations must report data breaches involving personal information that could result in serious harm to an individual. Click here for details of these ‘eligible data breaches’. If your organisation does not notify individuals of possible breaches, the following consequences can result:
- Regulatory action
- Investigation by the Privacy Commissioner
- Penalties of up to $2.1million
Have a data breach response plan in place
If your organisation believes an ‘eligible data breach’ has occurred, you are required to promptly notify individuals at likely risk of serious harm. Also, the Privacy Commissioner should be notified.
The notification should include the following information:
- The contact details and identity of the organisation
- A description of the data breach
- The type of information concerned
- Recommended steps individuals should take due to the data breach
Notifiable Data Breach forms are available at this link.
A Privacy Compliance Checklist
When developing a privacy compliance programme, be sure that all the following blocks are checked:
- A data breach response plan
- All supplier contracts reviewed to reflect the new privacy regulations
- The organisation led by the Board and senior management
- Regular Privacy Law training provided to the staff
- Regular reviews and updates occur
- Detailed procedures and security policies in place
- A system of destroying ‘old’ personal information (PI)
- Template clauses when using service providers who need access to PI
- A designated Privacy Officer
- Compliance audits
- You are fully aware of how PI is handled, where it is kept and the risks associated with that information
This publication is for your general information and interest only. It is therefore not intended to be comprehensive, and does not constitute and must not be relied on as legal advice. You must seek advice tailored to your specific circumstances.