Data Collection & Your Responsibilities - Notifiable Data Breaches
Does your business collect personal data? Do you know your responsibilities?
Recently there have been a few high-profile organisations reported in the media who have made a notice for breach of private data under the Notifiable Data Breach (NDB) Scheme. It raises questions about how individuals may be compromised, what can the implications be and what lengths need to be taken in order to protect our personal information?
Community expectation around the handling of personal data is something that has dramatically changed over the past few years. Personal data and the protection of it is something the general public is becoming more aware of and sensitive about with more and more of our personal information being stored by businesses, organisations and Government. In response to this concern, the NDB Scheme was brought in with the objective of creating transparency in relation to the holding and use of personal information. The scheme began on the 22nd February 2018.
The legislation, whilst attempting to protect and provide transparency for individuals also places responsibilities on businesses and organisations. This is a broad reaching piece of legislation. As a business or organisation it’s important to be aware of the changes and any changes, policies or procedures you may need to implement when collecting, storing and protecting data in order to comply.
We can assist you.
What is Personal Information?
Personal information protected under the Privacy Act is any information or opinion that identifies or could reasonably identify an individual. Some examples are name, address, telephone number, date of birth, medical records, bank account details, consumer credit information or opinions.
If you collect and store data about your customers or clients e.g. email lists, online leads databases, CRM, medical or legal databases ecommerce platforms, then you are collecting and storing personal information.
Who is Affected?
All organisations currently bound by Australian Privacy Principles under the Privacy Act 1988 (Cth) will now be affected by the NDB Scheme. These organisation are referred to as APP entities. The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.
The Privacy Act 1988 (Privacy Act) does not generally apply to small businesses but there are some exceptions. If the business trades in personal data or holds health information then the organisation may be an APP and subject to the scheme.
What is a data breach?
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. An ‘Eligible Data Breach’ is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
How do I notify?
The Office of the Information Commissioner sets out a four step process for handling data breaches.
Contain the breach and make a preliminary assessment. You must take measures to contain the data breach
Evaluate the risks associated with the breach
Notification - The individuals affected may need to be contacted about the breach and with a breach notification and a notifiable data breach form completed notifying the Information Commissioner of the breach.
4. Prevent future breaches - Steps must be taken to prevent future breaches.
What could happen?
Individuals have the right to complain if they consider that a business or organisation that is covered by the Privacy Act has not complied with the Act in handling their personal information. If your small business is covered by the Privacy Act, the Office of the Australian Information Commissioner (OAIC) can investigate. They may also conciliate and make determinations about complaints made about your handling of personal information.
The Commissioner can also investigate a matter