Australia’s mandatory Data Breach Notification laws: Are You Ready?

By Paul Green, Senior Information Security Consultant

Security breaches continue to hit the headlines and have focussed the spotlight for individuals and organisations alike on the increasing importance of data security and privacy.  For all the security breaches we hear about, many more are not monitored or go unreported.

In response to the growing risk these threats represent to the community, our borders and our industry, the Australian parliament passed new Mandatory Data Breach notification laws. From February 2018 all Australian organisations who are regulated by the Privacy Act may be liable for large fines for failing to comply with the new rules. Breaches include areas such as attacks on information storage, a loss of documents or data through accident, or the improper disclosure of information.

Whether you are personally affected, now is the time for all of us to take data breaches more seriously and it’s a perfect time to review the way you manage the security controls, access movement and use of all personal data including: customers, subscribers, users, employees, constituents, contractors and any other personally identifying information under management.

Despite the increased general awareness of data security issues, I’ve noticed that many clients and peers still have questions about the interpretation and application of the Australian Privacy Act (view my article on the Australian Privacy Principles) and what the Data Breach Notification Amendment means for them, and what should they do, if anything, to spread awareness, review procedures and prepare. 

What is Data Breach Notification law?

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 establishes a mandatory data breach notification scheme in Australia. In the near future, organisations will be legally obliged to notify any individuals affected by a data breach that is likely to result in serious harm.

As organisations collect more and more data about our personal lives, the consequences of not protecting that data grows more severe; identity theft, fraud etc.

In essence this law is designed to ensure that organisations pay more serious attention to the protection of personal information.  By obligating organisations to declare data breaches and provide clarity to the public on how they responded, impacted individuals are given the right information to understand the risk and participate in damage minimisation potentially resulting from the unauthorised disclosure of their personal information.

In the event of a data breach an organisation is required to notify the Office of the Australian Information Commissioner (OAIC) as well as the individuals affected. A data breach is defined as when personal information held by the organisation is lost or is subject to unauthorised access, modification or disclosure. For example if an employee lost a USB thumb drive containing a client personal information.

Will I have to comply with the new laws?

The new legislation applies to all Australian Government agencies, organisations and businesses that are regulated by the Australian Privacy Act. This includes most business and not for profit organisations with an annual turnover in excess of $3 million; as well as private sector health providers, credit reporting agencies, personal information brokers and employee associations. 

This is a significant step in increased cybersecurity regulation. Regardless of whether your organisation is required to comply, it might pay to take a more strategic view of your client relationships and put their right to data privacy at the centre of your security provisions. 

When do the new laws come into force?

On 22nd Feb 2018.  All organisations would be well advised to review their data security and privacy policies to ensure they comply with these new laws before then.

What constitutes an eligible breach?

An eligible data breach is classified as an instance where there has been unauthorised disclosure of personal information putting the individuals who are affected at "risk of serious harm".

Serious harm includes actions such as identity theft, fraud, discrimination or psychological and physical harm.

What should I be doing to prepare for the new laws?
  • Make sure you can identify all of the data that your organisation collects and retains that is classed as personal information under the Australian Privacy Act. Learn more about the 13 Australian Privacy Principles that make up the Australian Privacy Act here.
  • Ensure all employees understand that they have an obligation to report suspected breaches.
  • Define and implement a Data Breach plan. This should document how to identify and report a breach of personal information.. It should include who needs to be notified internally; and processes to contain the breach, including any forensic measures that may be required. It must also identify who is responsible for notifying the OAIC of the breach.
What does breach notification involve?

You will be required to assess the breach and determine if serious harm could occur within 30 days of becoming aware of any data breach.  If an eligible data breach is identified then the breach must be reported to the Office of the Australian Information Commissioner and the affected party as soon as possible. The notification must disclose the type of data breach, the particular information affected and how the affected party should respond to the data breach.

When it comes to data privacy, prevention is a priority. Preparing for the worst will minimise the fall-out of a breach. To discuss the practical application of new security plans and processes within your own organisation talk to Business Aspect about a privacy compliance assessment.