Only 10 day until major privacy law changes - are you ready and compliant?
On Thursday, 22 February 2018, new provisions of the Privacy Act 1988 (Cth) will come into effect across Australia. The new sections of the Act will legally compel many businesses to notify customers, clients, users and other third parties of certain data breaches. These changes are referred to as the Notifiable Data Breaches (NDB) scheme.
Are you a:
- private sector business with an annual turnover exceeding $3m*;
- private sector business that provides any health services; or
- private sector business that trades in personal information; or
- credit reporting body; or
- employee association; or
- Australian government department or corporation; or
- small business that has “opted-in” to the Act?
If you answered “yes” to any of the above you must:
1. notify a person if:
- you hold that person’s private information; and
- there is an unauthorised access, disclosure or loss of that information (a “data breach”); and
- the data breach is likely to result in serious harm to the person; and
2. provide the person with advice on the steps they should take (e.g. changing passwords, cancelling credit cards, etc.); and
3. notify the Australian Information Commissioner.
The Commissioner may provide advice and guidance, and in some circumstances may take regulatory action if the breach is serious enough.
What happens if my business doesn’t comply?
A failure to comply with the scheme will be considered an “interference with the privacy of any individual”. Accordingly, the Commissioner may take such action as:
- seeking, accepting and enforcing undertakings;
- making and enforcing determinations;
- seeking injunctions; and
- applying to a court for the application of a civil penalty, up to $420,000.00.
What should you do now?
- review and update your current privacy policies and procedures to ensure that information is collected and handled responsibly and safely;
- implement data breach policy procedures, in order to assess, remedy and notify data breaches if they occur; and
- review your current IT and data security policies, procedures and systems, in tandem with your IT provider to ensure the chance of a data breach is kept to a minimum.
Need more information?
The Office of the Australian Information Commissioner provides general information on the scheme, which can be accessed here.
If you are not sure if the legislation applies to you, or you need help becoming compliant before 22 February, Clifford Gouldson Lawyers can provide advice, training and audits in relation to such policies and procedures.
*Certain small businesses with a turnover under $3m may also need to comply with elements of Act, such as those providing services to the Commonwealth (click here for a detailed list).
In January last year, in the Queensland Industrial Relations Commission, Deputy President Swan dismissed a complaint made by a worker that claimed she had been sexually discriminated against by her employer due to an unfortunate event of domestic violence.... read on
An underpaying sushi business is the first to be charged by the Fair Work Ombudsman (FWO) utilising under a new reverse onus of proof law that puts the pressure back on employers to refute fishy conduct in court.... read on
From 1 March 2019 export air cargo, regardless of destination, will need to be examined at piece-level or originate from a Known Consignor. These measures are designed around improving aviation security.... read on