Discover what your obligations are under recent Privacy Act amendments and how to follow through with a proactive data protection framework.
Since February 22 this year, the Privacy Act 1988 (Cth) was updated with a series of amendments requiring companies, organisations and other entities to notify the Australian Information Commissioner (OAIC) and affected individuals when data has suffered an unauthorised breach. This has been done under the Notifiable Data Breach (NDB) Scheme, to prevent against and notify data breaches to prevent fraud.
It’s been a long time coming, mirroring similar measures introduced in Europe, and certainly helps secure the identities of individuals who deal with corporations, not-for-profits and health organisations. In 2017 alone, we saw the data breaches of Deloitte, Uber and a handful of US healthcare organisations reach the news, with millions of customers affected. The NDB Scheme will affect all health providers and all not-for-profits with over $3 million in revenue each year. There are varying elements that define what an ‘eligible data breach’ is, but it’s important to develop a proactive framework to prevent against and quickly notify anyone affected in the case of a data breach, which could occur at any point in time.
The True Cost of Non-Compliance:
We’re not just talking about fines here. While yes, continued and serious interferences with privacy do carry penalties of up to $420,000, not having a proactive framework in place to quickly take care of and respond to data breaches is a cost on its own. Part of that framework could include reasonable measures to minimise the likelihood of ‘serious harm’ from occurring as a result of the data breach. In illustrating what such reasonable measures could include, the OAIC referred to one particular example:
“An employee leaves a smartphone on public transport while on their way to work.
When the employee arrives at work they realise that the smartphone has been lost,
and ask their employer’s IT support staff to remotely delete the information on the
smartphone. Because of the security measures on the smartphone, the IT support staff
are confident that its content could not have been accessed in the short period
between when it was lost and when its contents were deleted.”
- Boagg & Higgins, OAIC, 2018 (new website launched – General Data Protection Regulation guidance for Australian businesses)
As you can see, data breaches aren’t just interpreted as hacked access like many of us would assume. They can include physical theft, accidental emails and leaked data from employees. Therefore, even if you have the most secure data system in the world, it’s important to have an easy-to-follow framework in place, because these so-called ‘data breaches’ could include semi-regular occurrences that previously may have been waived as not serious.
Proactive Data Breach Measures and Procedural Framework
The example above illustrated some of the 4 key measures of successful proactive data frameworks:
- Ability to identify the personal information you are responsible for
- Ability to protect personal information
- Ability to detect a data breach
- Response procedures in place for data breach events
If there aren’t enough measures available at your disposal for quick responses to data breaches or there is no procedural framework for dealing with a data breach, what may have been a simple mistake could end up costing the organisation greatly. To ensure your reaction to a data breach complies with the Privacy Act and to minimise the potential for serious harm to occur, technological and procedural measures should be implemented.
An example of such technological measures used to detect data breaches and identify and protect personal information could be a whitelisting system on your data platforms, whereby only select devices have access to certain data, and access to that data can be removed at the flick of a button, with logs of access available recorded in real-time. Response procedures should be uniform and easy-to-perform, with post-response reporting to the OAIC and affected individuals made as transparent as possible.
The proactive data governance framework your organisation implements will vary entirely depending on the kind of technology you use and the scale of personal data you keep of your clients and customers. We think the NDB Scheme is fantastic in improving transparency for anyone affected by an organisation’s breach of data, and implementing a well-designed procedural framework is a lot easier than reactively responding to data breaches under pressure, all while under the risk of investigations and civil penalties. It really is a good wake-up call for businesses and not-for-profits alike. If you’d like to arrange a consultation on how you can prepare your organisation for data breaches through a proactive IT governance framework, get in touch with humanIT.