A fool-proof compliance guide for Australian business professionals in all industries
In February of this year, the Mandatory Data Breach Notification Law went into effect. However, even though the date has come and gone, many professionals are still trying to get a handle on what’s required of them. Since data storage and security are fundamental responsibilities for all modern companies, strategic business professionals are eager to better understand the new law.
That’s why, we’re on a mission to create a clear and easy guide outlining this new law. That way, our clients and other Australian business professionals will understand exactly what’s expected of them and can implement strategies to ensure compliance with the new regulatory mandates. So, let’s dive in and review the top questions you and your organisation should be considering in order to maintain compliance.
As of February, 22nd 2018, organisations subject to the 1988 Privacy Act are required to report any and all ‘eligible data breaches’ that occur on their networks. Professionals are required to swiftly report the incidence of data breach to both the Office of the Australian Information Commissioner (OAIC) and any clients or individuals who may be affected by the data breach in question.
The Mandatory Data Breach Notification regulations apply to all government agencies and private sector entities who are mandated by the Australian Privacy Principles stipulated under the Privacy Act.
This includes large private entities and non-profit organisations that turn an annual profit of over $3 million. However, it also includes small businesses and entities that provide healthcare services, contracted services, credit reporting services and much more.
The Mandatory Data Breach Notification Law outlines specifically what kind of data emergencies are considered a breach. According to the regulatory mandates, an eligible breach is any data security event in which:
While the law offers this explicit definition, the scope of “serious harm” is not defined. However, its recommended that professionals air on the side of caution and consider the potentially harmful impacts of any and all data breaches that occur. After all, any data breach involving sensitive financial or personal data can definitely be understood as having serious harm on impacted victims.
However, here are some tips for trying to determine the extent of “serious harm” created by a breach:
For context, here are some examples of potential data breaches that could be considered ‘eligible’ under the new law:
Another key piece of information business professionals should know is when exactly they’re required to report to the OIAC and potential victims. According to the mandate, organisations are required to report as soon as possible when:
There is a clause in the regulation that stipulates the circumstances under which organisations are not required to report. The Remedial Action clause notes that in the case of breach where an entity is able to take remedial action to prevent unauthorised access to or disclosure of information, a mandatory report is not required. In these cases, entities must be able to demonstrate their ability to prevent the misuse of data that is lost or stolen or prevent any kind of serious harm from resulting.
The Mandatory Data Breach Notification law also stipulates clear instructions on how entities are required to submit notice of an eligible breach. In the case that an organisation becomes aware of a potential data breach the entity must follow this series of reporting steps as soon as possible:
Entities must provide a copy of this statement to the OAIC as quickly possible while also taking concrete steps to share the statement contents with affected individuals by email, telephone or mail. If direct communication with affected individuals isn’t possible, the entity in question must publish this statement on its own website or publicise it some other reasonable way. While ‘as soon as possible’ may seem vague, a reasonable timeframe will depend on the time, cost and effort required to meet the notification requirements.
When an entity becomes subject to a data breach, the breach itself is unlikely to result in any financial or regulatory penalty. However, a failure to report an eligible data breach is considered an interference with the privacy rights of individuals affected by the breach. Under the Privacy Act, this means that failure to notify could result in a formal complaint to the Australian Privacy Commissioner.
While company directors and managers will not be held personally liable, serious or repeated reports of non-compliance can result in organisations facing civil penalties of up to $2.1 million.
So, How Can Your Organisation Promote and Maintain Compliance?
So after reviewing all the facts – you and your team are probably wondering: how can we promote and maintain compliance with the Data Breach Notification Law? The first step is being aware and the next is knowing what to look for and when to be concerned.
According to the mandate, entities can maintain compliance by:
In addition to these ‘in-the-moment’ strategies, the OAIC also recommends that covered entities have an up-to-date data breach response plan to ensure that breaches responses are efficient and effective. In fact, the OIAC has even created a helpful guide for handling personal data and security breaches – you can find it here.
Wondering what else you and your team can be doing to stay proactive and prepared? Check out these additional tips for staying on top of the Data Breach Notification Law:
While regulatory compliance can seem overwhelming, staying on top of data privacy and protection doesn’t have to be impossible. If your organisation is looking for strategies to increase your data protection effort, don’t hesitate to reach out to a professional IT advisor for consultation and guidance. Protecting your company and client data is critically important and insights from an industry professional can make all the difference in maintaining a secure data environment.
Did you find this article informative? We’re happy to help! If you liked this, check out these other articles we think you’ll love: