Most business leaders are now aware of the new mandatory data breach reporting rules, but understanding what they mean in practice is a very different story.
Data breaches are commonplace in an increasingly digital world and their consequences are about to become significant for thousands of SMEs across Australia.
Here’s what SMEs need to know about the new laws.
What is it?
The new Notifiable Data Breaches (NDB) scheme makes it mandatory for various organisations to notify individuals and the Office of the Australian Information Commissioner (OAIC) when a relevant data breach occurs.
When does the scheme commence?
The NDB scheme came into effect on 22 February 2018, and only applies to eligible data breaches that occur on or after that date.
Who does it apply to?
These new laws will have significant implications for SMEs with turnovers of more than $3 million annually.
Any agency or organisation already subject to the Privacy Act is captured by the new regulations – that means businesses and not-for-profit organisations, health service providers and more.
Those with turnover less than $3 million a year may also be affected if they meet certain criteria, for example if they operate a residential tenancy database, trade in personal information or are employee associations registered or recognised under the Fair Work Act to name a few. The full list of who is covered by the new rules can be found on the OAIC website.
What are the new obligations?
If a relevant SME suspects that an eligible data breach has occurred, it must take reasonable steps to complete an expeditious assessment within 30 days.
If it is determined that an eligible data breach has occurred, the SME must then do the following as soon as practicable:
- Prepare a statement containing the SME’s contact details, description of the breach, kinds of information concerned and steps recommended to affected individuals to mitigate any harm;
- Alert and provide a copy of the statement to the OAIC via an online form; and
- Notify individuals whose personal information is likely to result in serious harm due to the data breach.
What is an eligible data breach?
A breach in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is, from the perspective of a reasonable person, likely (more probable than not) to result in serious harm to any of the individuals to whom the information relates.
A “reasonable person” is a person in the SME’s position who is properly informed as to the data breach and not from the perspective of a person whose personal information was compromised.
Examples may include the hacking of a database containing personal information or personal information that is mistakenly provided to the wrong person.
What if I fail to report?
If an SME fails to report an eligible data breach, then civil penalties as high as $1.8 million can be applied.
Failure to notify affected individuals could also result in complaints to the OAIC.
How often do data breaches really occur?
Data breaches are common and sometimes unavoidable. In 2016, the Red Cross admitted that the personal information of 500,000 Australian blood donors might have been compromised.
It was revealed by Uber that in 2016 the personal information of 57 million customers and drivers had been compromised in a data theft.
How can you prepare your business?
- Firstly, determine whether your SME, business or organisation is subject to the NDB scheme.
- Check out the Information Commissioner’s Guide to securing personal information. Be aware of how personal information is stored and managed, and take necessary steps to implement adequate security measures.
- Have in place a data breach response plan. The OAIC has an excellent guide to help prepare such a plan.
- Ensure personnel are trained to understand the NDB scheme, including identifying when a breach has occurred and what the SME’s policies and procedures are.
- Seek legal advice at any step along the way to ensure that you are fully aware of your obligations.
Mathisha Panagoda is an associate with Carroll & O’Dea Lawyers.
Adam Zuchetti is the editor of My Business, and has steered the publication’s editorial direction since early 2016.