Tuesday, 6 February 2018
Originally published by Churches of Christ Insurance (CCI). Republished with permission.
The Australian Government has introduced new legislation to strengthen the protection of privacy and personal information, and to improve organisational transparency regarding data breaches. This is known as Notifiable Data Breach (NDB) scheme and will come into effect on the 22nd February 2018.
Who will it apply to?
The legislation will apply to all organisations currently under the Australian Privacy Act. These are organisations that are already charged with the responsibility to keep personal and sensitive information secure. This includes not-for-profits such as churches or church-based organisations as well as commercial businesses.
What type of information will it apply to?
The scheme applies to all kinds of personal and sensitive information. Examples include names, addresses, email addresses, genders, family members, financial information, tax file numbers, medical history and so on.
When information of these types is collected and stored, steps must be taken to keep it secure and safe and to avoid loss and unauthorised disclosure.
Why is this needed?
There are several reasons why privacy needs further strengthening:
- A lack of reporting requirements for data breaches has led to some organisations hiding or covering up instances of serious privacy breaches.
- The invasion of privacy and / or the theft of personal information can impact seriously on an individual or an organisation or business. Types of harm caused may include financial, reputational, psychological and / or physical.
- Information theft can result in identity crime, which is expensive. It costs Australia approximately $2.2 billion each year according to the Federal Attorney-General’s department.
What types of breaches are ‘notifiable’?
A data breach could occur due to a cyber attack, loss or theft of a device that contains information, or because personal information gets published or shared without authorisation (whether deliberate or inadvertent). Breaches are considered notifiable when they are likely to cause serious harm to the individual or organisation affected.
‘Serious harm’ could include financial losses, risks to personal safety, damage to reputation, or serious psychological harm. It will be up to the organisation concerned to investigate breaches and to determine if serious harm is likely to occur. This needs to be done within 30 days of the breach. The organisation should also take steps to prevent any further harm or damage from happening.
If a notifiable breach has occurred, the organisation must report details of it to those affected by it, and to the OAIC (Office of the Australian Information Commissioner). The police may also need to be notified if a crime is suspected.
Next steps to take
Strengthening data protection benefits everyone, including your organisation. It helps to reduce the risk of insurance claims, financial losses, damaged reputation, and loss of trust.
A proactive approach is required when it comes to managing personal information. Organisations may need to:
- Develop a culture of privacy. This includes ensuring that any personal information collected is treated as an asset to be protected and managed.
- Strengthen internal procedures and systems regarding the handling of personal information.
- Make effective use of technology to increase data security – e.g. encryption, backups, restricted access, and passwords.
- Appoint staff members to oversee information management and to investigate breaches.
More information on the legislation can be found at the OAIC Notifiable Data Breaches web page.
Also check our previous CCI article on privacy law reform in Australia.
Previous posts:February 2018(3)January 2018(1)December 2017(5)November 2017(1)October 2017(5)September 2017(2)August 2017(5)July 2017(7)June 2017(5)May 2017(9)April 2017(10)March 2017(6)February 2017(2)January 2017(1)December 2016(2)November 2016(8)October 2016(8)September 2016(4)August 2016(13)July 2016(7)June 2016(3)May 2016(8)April 2016(13)March 2016(7)February 2016(3)November 2015(1)