From 22 February 2018, all businesses bound by the Privacy Act 1988 (Cth) will be subject to new mandatory data breach assessment and notification obligations.
In summary, the scheme will require those businesses to:
It is important to be aware that data breach is not limited to malicious acts of hacking or ransomware – recent examples in Australia have included an inadvertent loss of medical records and a third party provider accidentally publishing client records to a public section of a business’s website. In fact, a data breach is any unauthorised access to or disclosure of personal information, or any loss of personal information.
Under the new scheme, an ‘eligible data breach’ will arise if the data breach is likely to result in serious harm to any of the individuals to whom the personal information relates.
As a first step, it is important to understand and document how personal information is collected, used, disclosed, accessed and stored within your business. This critical step will help you to identify when a data breach has occurred, and assess your exposure to risk.
The next step is to develop a data breach incident response plan. A data breach incident response plan will address how your business will respond to a data breach and identify the internal team who will be responsible for assessing a breach. The plan will cover how a data breach must be reported internally, assessed and (if necessary) notified.
Having a data breach incident response plan ensures your business is prepared to comply with the scheme if a data breach occurs, and your staff know what to do if they suspect or become aware of a data breach or other cyber security incident. Now is also the time to review your business’ insurance cover and consider if cyber insurance might be an appropriate risk mitigation strategy.
Navigating the minefield that is the new Mandatory Data Breach Notification Scheme can seem daunting. But understanding what constitutes a breach, how to make an assessment of serious harm, what the exemptions from notification are, and notably, the potential consequences of failing to notify, will be crucial come February.
To find out more, visit www.oaic.gov.au
Enter your details to access the guide
Select your desired option below to share a direct link to this page.
Your friends or family will thank you later.