Earlier this year, Federal Parliament passed a bill, which has been around for a very long time, that is making a fundamental change to how the Privacy Act operates. At the moment, Australia does not have what’s called a Mandatory Breach Reporting procedure – in February 2018 that’s all going to change.
Basically, what this means is, if the privacy of a company is breached, and your individual personal information is disclosed, it will become a requirement that the affected organisation notifies the Office of the Australian Information Commissioner (OAIC) of the breach, plus notify the affected individual(s).
This new bill is going to change how businesses deal with privacy and how they respond to issues, and possibly more importantly, the Privacy Commissioner will be given some real teeth in that they can levy fines of up to $360,000 on individuals, and up to $1.8 million to organisations who do not comply with the new Mandatory Breach Reporting procedure.
These new requirements demand fundamental changes to how Australian organisations handle personal information, and set the stage for some of the largest changes to privacy regulation in the last decade.
What you need to know
When the Australian Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB scheme) on 13 February 2017, it commenced a process that means from 22 February 2018 all organisations covered by the Australian Privacy Principles (APPs) will have an obligation to report eligible breaches of their data.
It will become mandatory for organisations to show that they have taken all reasonable steps to ensure an assessment is completed within 30 days. If an eligible data breach is confirmed, as soon as practically possible, they must provide a statement to each of the individuals whose data was breached (or who are at risk), including details of the breach and recommendations of the steps that affected individuals should take. A copy of these statements must also be provided to the OAIC.
The privacy act only applies to organisations that have a turnover of $3 million dollars or more, or if they’re holding sensitive information. While many smaller businesses would not turn over $3 million plus per annum, a lot do deal with large businesses, and the large businesses are captured by the Privacy Act; therefore, contractual obligations could be imposed on the small businesses to protect personal/sensitive information in line with the larger organisation.
What do we mean by sensitive information?
Sensitive information is broadly defined, but essentially, it’s that vast bulk of personal information that people hold – name, date of birth, physical address, possibly occupation; it also applies to information like shopping histories, preferences, websites, databases, searches, health information, even political affiliations, and the like.
With so much change coming in 2018, now is the time for all organisations to take stock of their current privacy programs and data breach processes to ensure that they are set up to meet these new requirements.
Disclaimer: This article does not purport to be legal advice, it is to be used purely as a guide to the up and coming Privacy Act changes. DWS and any of its subsidiary companies will not be held liable for any issues that arise from the use of this information. If you would like to review the Privacy Amendment in more detail, visit https://www.legislation.gov.au/Details/C2017A00012
Please also visit www.oaic.gov.au for the Privacy Commission’s Notifiable Data Breaches Guide.