Pssst, over here! (You need to read this if your business turns over more than $3 million)

We’ve all heard about the increasing prevalence of data ‘breaches’ and ‘hackings’.  Some well-publicised examples include:

  • The hacking of Microsoft’s Business Productivity Online Suite in 2010;
  • The theft and publication of 6 million user passwords from LinkedIn in 2012. This was followed up in May 2016, when hackers stole and posted for sale on the dark web an estimated 167 million LinkedIn email addresses and passwords;
  • The breach of 68 million user accounts at Dropbox in 2012, where the offender gained access to email addresses, passwords, and nearly 5 gigabytes of data;
  • Twitter in May 2018 – there was a glitch that caused users passwords to be written on an internal computer log prior to the scrambling process;
  • Microsoft in January 2020 –a report revealed that 250 million customer records have been exposed online without password protection; and
  • Facebook in April 2021 – over 533 million Facebook users’ personal data were leaked (including phone numbers, locations, email addresses, etc.).

One of the things that really upset users is that many of the earlier major breaches were kept under wraps by the affected companies for many years – which prevented the users from being able to act to protect their data, or seek compensation from the companies.

Rather than sit on its hands, our government decided to try and do something about it.  The relevance and practicality of this response is open to serious question. But if your business turns over $3 million or more, then you need a refresher on these measures – which came into effect in February 2018.

So, what are these measures and how do they impact you?  In this article, we provide a crash course on these changes, and some tips on how to make sure your business complies.

What are the key features of the Privacy Act?

Since 22 February 2018, all ‘APP entities’ have been required to notify the Office of the Australian Information Commissioner (OAIC) if a ‘Notifiable Data Breach’ occurs.  The OAIC refers to this as the ‘Notifiable Data Breach (NDB) scheme’.

Who must comply with the NDB scheme?

The NDB scheme will applies to all ‘APP entities’.

This includes all businesses with an annual turnover of more than $3 million.

It also includes small businesses (i.e. businesses with turnovers of less than $3 million) if they are:

  • Private sector health service providers (including medical practitioners, pharmacists, gyms and weight loss clinics);
  • Complementary therapists, such as chiropractors or psychologists;
  • Childcare centres, private schools and private tertiary educational institutions;
  • Businesses that sell or purchase personal information;
  • Credit reporting bodies; or
  • Related to a business that is an APP entity.

To find out whether you must comply with the NDB scheme, contact us on 1300 654 590 or email us. We can provide you with clear guidance.

What obligations are imposed by the NDB scheme?

The NDB scheme requires APP entities to notify the OAIC and any affected people as soon as practicable if they have a reasonable concern that a ‘Notifiable Data Breach’ has occurred.

A ‘data breach’ is defined generally as a situation where ‘personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference’.

A ‘Notifiable Data Breach’ arises if:

  • There has been an unauthorised access or disclosure of information and it is reasonable to believe that it could result in serious harm to individuals (e.g. if your database has been hacked); or
  • If information is lost where an unauthorised access is likely, and it is reasonable to believe that it could result in serious harm to individuals (e.g. if your employee forgot a folder with clients’ personal information in a public place).

The concept of ‘serious harm’

The effect of the new rules is to require business owners to consider the possible consequences of any data breach to determine whether it may cause ‘serious harm’ to an individual or individuals.  This is a broad concept and may include physical, emotional, economic or financial harm or reputational damage.

To determine whether a data breach is likely to cause ‘serious harm’ (and is therefore a Notifiable Data Breach), you should consider factors such as:

  • The type of information breached;
  • Whether the information is protected by other security measures, and the probability that someone can overcome those measures;
  • The people who may have access to the information as a result of the breach; and
  • The nature of the harm that might arise from the breach.

What must you do if you identify or suspect a data breach?

If an APP entity suspects that a data breach has occurred, it must carry out an assessment within 30 days to verify whether the breach occurred and ascertain whether it is a Notifiable Data Breach.

Are you worried about a potential or actual data breach? Contact us on 1300 654 590 or email us. We can guide you through your obligations.

How do you give notice of a Notifiable Data Breach?

The OAIC has published a notifiable data breach form via which businesses can provide notification.

The breach must also be notified to the affected individuals using any reasonable direct method of communication (e.g. phone call, email, SMS or letter in the mail).

What information must a notification include?

A notification of a Notifiable Data Breach must include the following information:

  • The identity and contact details of the APP entity;
  • The types of information exposed by the breach;
  • A description of the breach, including when and how it occurred, and when it was discovered;
  • An estimate of the number of people whose personal information is involved;
  • How you have responded or intend to respond to the data breach;
  • How you intend to notify individuals of the breach;
  • Whether you have reported the breach to any other regulatory bodies; and
  • Recommendations about the steps that people should take in response to the breach.

Do you need to give notice of a notifiable data breach? Contact us on 1300 654 590 or email us. We can guide you through your obligations.

Are there any exceptions to the NDB scheme?

Businesses are not required to notify of a data breach if they act quickly in relation to the breach such that it can reasonably be said that the breach would not cause any serious harm.

Further, businesses who have good policies and protocols in place should be able to avoid the rigmarole associated with notification under the scheme.  Good protocols include things like data encryption, 24-hour IT monitoring and employee policies for secure handling of sensitive information.

Ultimately, the onus is on the business to determine the likelihood of serious harm and make a call on whether the breach should be notified.  It is our view that business owners are better off erring on the side of caution when deciding whether to notify.

How is the NDB scheme be monitored?

The OAIC encourages compliance with the NDB scheme by handling complaints, conducting investigations and taking other regulatory action. If an organisation breaches the NDB requirements, they may face civil penalties under the Privacy Act civil penalty framework (which includes fines of over $1 million for organisations).

Our recommendations for how to comply for the NDB scheme

We recommend that business owners take the following steps to comply with the scheme:

  • Ascertain whether you are subject to the Privacy Act. Even if you are a small business or a sole trader, you could be subject to the new rules.
  • Be aware of the types of information you store and their sensitivity. Different types of information may require different types of security measures.
  • Prepare and implement a data handling policy. The sooner the better, to ensure that your staff get to know the policy before the scheme commences.
  • Review your IT systems and firewalls. If you store a lot of sensitive data or are in an industry that is targeted by online attacks, consider investing in encryption software.
  • Consider whether you should take out insurance to cover any loss you may suffer. Ideally, any policy should cover as many types of loss as possible (e.g. internal costs of compliance, rectification costs, third party claims for damages).
  • Review your contracts with suppliers and other third parties. Ensure that they do not pass on responsibility to you, and that they do not limit their liability if a breach is caused or contributed to by them.
  • Prepare and implement a data breach response plan. This will enable you to mobilise quickly if any data breach occurs.
  • Appoint a person in your business to be responsible for notifications. This will ensure that notifications are completed quickly and in accordance with the requirements.
  • Establish and maintain a data breach log. The log will be a central directory to record the details of any data breach, how the breach was categorised (i.e. whether or not it was notifiable), and how the breach was dealt with.
  • Schedule periodic assessments of your procedures and policies. This will ensure that you can make any necessary modifications to your compliance once the scheme has been rolled out, and ensures your security measures will be kept up-to-date.

We can help you prepare

To find out whether you must comply with the NDB scheme, or for assistance to comply with the scheme, contact us on 1300 654 590 or email us. We can guide you through the NDB scheme to provide a clear way forward.

 

The information contained in this post is current at the date of editing – 15 April 2024.

Our Great Lawyer Guarantee

We want to be part of your team over the long term. We'll achieve this by sticking closely to the following principles:

  • We'll listen carefully to understand what you want to achieve. Then we'll thoroughly explain our advice and step you through the documents. You can be sure you'll know the full consequences.
  • Our lawyers work as a team, so someone will always be available to answer your questions, or point you in the right direction. You will also benefit from a range of perspectives and experience.
  • One of our key goals is to pass on as much knowledge as we can, so you can make your own informed decisions. We want to make you truly independent.
  • We only do what we're good at. You can be confident that we know what we're doing and won't pass on the cost of our learning.
  • For advice and documents, we provide a fixed or capped quote so you don’t take price risk. If you're in a dispute, we'll map out the process and costs so you know what to expect.
  • We're not in this game for our egos. We're in it for a front row seat to witness your success.

We measure our success on how efficiently we have facilitated your objectives, enhanced your relationships, and reduced the level of stress for all involved.

If we sound like people you can work with, call us now on 1300 654 590 and speak directly with a great lawyer.

What legal issues do you need to look out for in 2025?

What legal issues do you need to look out for in 2025?

With the coming of a new year come new ideas, plans and goals. Sometimes these may come about because of a change in circumstances and needs. In other cases, these may be a necessary undertaking due to a change in law, regulation or requirements. Here are some legal issues that we think will be hot issues in 2025 and our tips to help you navigate them. 

read more