On Thursday, 22 February 2018, new provisions of the Privacy Act 1988 (Cth) will come into effect across Australia. The new sections of the Act will legally compel many businesses to notify customers, clients, users and other third parties of certain data breaches. These changes are referred to as the Notifiable Data Breaches (NDB) scheme.
Are you a:
- private sector business with an annual turnover exceeding $3m*;
- private sector business that provides any health services; or
- private sector business that trades in personal information; or
- credit reporting body; or
- employee association; or
- Australian government department or corporation; or
- small business that has “opted-in” to the Act?
If you answered “yes” to any of the above you must:
- notify a person if:
- you hold that person’s private information; and
- there is an unauthorised access, disclosure or loss of that information (a “data breach”); and
- the data breach is likely to result in serious harm to the person; and
- provide the person with advice on the steps they should take (e.g. changing passwords, cancelling credit cards, etc.); and
- notify the Australian Information Commissioner.
The Commissioner may provide advice and guidance, and in some circumstances may take regulatory action if the breach is serious enough.
What happens if my business doesn’t comply?
A failure to comply with the scheme will be considered an “interference with the privacy of any individual”. Accordingly, the Commissioner may take such action as:
- seeking, accepting and enforcing undertakings;
- making and enforcing determinations;
- seeking injunctions; and
- applying to a court for the application of a civil penalty, up to $420,000.00.
What should you do now?
- review and update your current privacy policies and procedures to ensure that information is collected and handled responsibly and safely;
- implement data breach policy procedures, in order to assess, remedy and notify data breaches if they occur; and
- review your current IT and data security policies, procedures and systems, in tandem with your IT provider to ensure the chance of a data breach is kept to a minimum.
Need more information?
The Office of the Australian Information Commissioner provides general information on the scheme, which can be accessed here.
If you are not sure if the legislation applies to you, or you need help becoming compliant before 22 February, Clifford Gouldson Lawyers can provide advice, training and audits in relation to such policies and procedures.
*Certain small businesses with a turnover under $3m may also need to comply with elements of Act, such as those providing services to the Commonwealth (click here for a detailed list).