From 22 February 2018, all businesses bound by the Privacy Act 1988 (Cth) will be subject to new mandatory data breach assessment and notification obligations.
In summary, the scheme will require those businesses to:
- if they suspect there has been an ‘eligible data breach’, carry out a prompt and thorough assessment within a maximum period of 30 days; and
- as soon as it has reasonable grounds to believe there has been an ‘eligible data breach’, make prescribed notifications to the Office of the Australian Information Commissioner and to affected individuals.
What is a “data breach”?
It is important to be aware that data breach is not limited to malicious acts of hacking or ransomware – recent examples in Australia have included an inadvertent loss of medical records and a third party provider accidentally publishing client records to a public section of a business’s website. In fact, a data breach is any unauthorised access to or disclosure of personal information, or any loss of personal information.
Under the new scheme, an ‘eligible data breach’ will arise if the data breach is likely to result in serious harm to any of the individuals to whom the personal information relates.
How can your business prepare?
As a first step, it is important to understand and document how personal information is collected, used, disclosed, accessed and stored within your business. This critical step will help you to identify when a data breach has occurred, and assess your exposure to risk.
The next step is to develop a data breach incident response plan. A data breach incident response plan will address how your business will respond to a data breach and identify the internal team who will be responsible for assessing a breach. The plan will cover how a data breach must be reported internally, assessed and (if necessary) notified.
Having a data breach incident response plan ensures your business is prepared to comply with the scheme if a data breach occurs, and your staff know what to do if they suspect or become aware of a data breach or other cyber security incident. Now is also the time to review your business’ insurance cover and consider if cyber insurance might be an appropriate risk mitigation strategy.
Navigating the minefield that is the new Mandatory Data Breach Notification Scheme can seem daunting. But understanding what constitutes a breach, how to make an assessment of serious harm, what the exemptions from notification are, and notably, the potential consequences of failing to notify, will be crucial come February.
To find out more, visit www.oaic.gov.au