In February, Australia’s privacy law will change. If your organisation is covered by the Australian Privacy Act (this includes all Australian government agencies, and businesses and not-for-profit organisations with an annual turnover of $3million or more), then these changes will apply to you.
Right now, your organisation has an obligation to keep all personal information it holds safe and secure. But if there’s a breach in regards to this information, you’re not required by law to tell anyone about it.
That’s going to change. Amendments to the Privacy Act will make it obligatory for you to notify certain breaches, from 22 February 2018. While you should seek your own legal advice in regards to these changes, here’s a few things you might want to know about the new law:
What is a personal information security breach?
Basically, it’s any unauthorised access or disclosure of the personal information your organisation holds. This also includes the loss of information that’s likely to lead to unauthorised access or disclosure.
This could include anything from the loss of a phone or laptop containing personal details to one of your databases holding personal details being hacked.
What has to be notified?
The obligation to notify will apply if you have reasonable grounds to believe that:
- a breach has occurred, and
- a reasonable person would conclude that the breach is likely to result in serious harm to the person that the information relates to.
The legislation doesn’t define what is meant by ‘harm’, but it’s likely to cover financial, physical, psychological and reputational harm.
Who do you notify, and when?
If a notifiable breach occurs, you’ll need to respond as soon as possible. To do this:
Firstly, you’ll need to develop a statement outlining what’s happened and your recommended response.
You’ll then need to send a copy of your statement to the Office of the Australian Information Commissioner (OAIC) and, if practicable, to either all the people whose information has been breached or those who are at risk of serious harm from the breach.
If it’s not practicable to notify either such group directly, you’ll need to publish your statement on your website or take other reasonable steps to announce the breach publicly.
Here’s the exception
If you can quickly take action to remove the likelihood of serious harm once you’ve become aware of the breach, then you are not legally required to notify anyone – but you might still choose to.
Any other obligations?
If your organisation only has reasonable grounds to suspect (rather than believe) there’s been a breach, then you need to conduct an assessment to find out more.
If your organisation will be impacted by these new laws, then it’s recommended that you develop a data breach response plan now. A good place to start is the OAIC’s website.
Of course, prevention is key. And that’s where the three Ps are critical: Prepare, Prepare, Prepare. Canon’s IT Security Essentials Audit
can help you benchmark how secure your IT environment is and help you understand where improvements can be made in preparation for the changing legislation.