Keeping it Confidential: Data Breach Obligations and Your Business

image1

Why is this important for Your Business?
You might have noticed that some of the largest corporations in the world have, over the course of the last 12 months, been updating their privacy policies. You might have also noticed that the Australian media is reporting on large scale data breaches more regularly than ever before.
We now live in a world where, whether you’re an individual, business or government department, your data is at risk of breach and it’s important to remember that not all data breaches are the result of hacks. Human error is often the cause.

In this heightened state of data security, every business in Australia needs to be aware of its obligations at law in relation to the data they hold and the liability that they could face in the event of a data breach. Recognising that this is not just an issue for large corporations is a critical first step.

The laws changed 1 year ago, what has your business done to catch up?

What businesses are most at risk?
According to the Office of the Australian Information Commissioner (OAIC) the top 4 industries in Australia that were affected by some form of a data breach in 2018 were:
1. Health Service Providers;
2. Finance;
3. Legal, Accounting and Management Services; and
4. Education.

What Does the Law Require of your Business?
Legislation: Australia
Pursuant to the Notifiable Data Breaches Scheme (Scheme) which commenced in Australia on 22 February 2018, a business operating in Australia will be required to notify the OAIC of reportable data breaches if: –
1. they have revenue (NB: not profit) of more than $3m a year; or
2. they are a tax file number recipient.
You are a tax file number recipient if you hold any information which contains a tax file number. This might include tax returns, financial statements, group certificates and pay slips. However, this does not apply with respect to the TFN details of employees of the business.
In the event of a Breach what do I do?
If you have reasonable grounds to believe an eligible data breach has occurred then the Scheme requires that you promptly notify all individuals at likely risk of serious harm from the breach however the business has a number of options as to how this is done (see below).
You must also notify the OAIC as soon as practicable by lodging a statement in the required form. The notification to the OAIC will include the identity of your business, information about the breach and any recommendations your business considers it would be prudent for affected individuals to take in response to the breach.

Who should I notify?
The Scheme provides you with three options as to who and how you would notify your clients of a data breach:
1. All clients;
2. Only those clients at risk of serious harm; and
3. If unable to notify clients directly, then by publishing a public statement.
The third option can be utilised in the event that a business cannot notify all affected individuals directly. If that is the case, the business must publish a copy of the statement issued to the OAIC on the business’ website and other online platforms used by the business to interact with its clients, such as social media pages.

Legislation: European Union (EU)
On 25 May 2018 the General Data Protection Regulations (GDPR) came into effect in the EU.
For Australian businesses, the GDPR will apply to you if you hold information in relation to any resident of the EU. It should be noted that the GDPR has stricter requirements, than the Scheme, in relation to mandatory breach notifications but importantly your business may be subject to both the Scheme and GDPR depending on where it operates.

Tips to help you and your business reduce the risk of a data breach
This is a non-exhaustive list of common and simple actions that can be taken to reduce the risks of data breaches in your business:

  1. Only obtain the information that you need to complete your services and destroy information that your business does not need or no longer needs (subject to any mandatory retention periods);
  2. Ensure all portable devices are password protected and that all remote connections use a secured VPN;
  3. Disable USB and other storage device drives on office computers;
  4. Be mindful of visitors in the office and photos taken of the office;
  5. Ensure all staff lock their computers or shut down their computers when they are not at their desks;
  6. Ensure you have agreements in place with your third-party contractors to require them to acknowledge their own obligations with respect to information they may come into possession of when performing services for you;
  7. Know where your data is stored, where servers are located and across which borders data is being transmitted; and
  8. Have a response plan in place in the event that your business is subject to a data breach.

Implementation
Every business in Australia should, as a matter of priority:

  1. Familiarise itself with the National Privacy Principles, Privacy Act 1988 and the Scheme;
  2. If your business is subject to the GDPR then familiarise yourself with the GDPR rules in addition to the Australian law;
  3. Conduct a review and audit of your business’ current policies and procedures to ensure compliance with your legal requirements;
  4. Where required, update your internal and external policies and procedures and client retainer agreements;
  5. Implement strategies to reduce the risk of breaches;
  6. Prepare a response plan and ensure all staff are aware of their role; and
  7. Ensure all staff and any other persons handling your data are aware of the risks and implications of a data breach.

If you would like advice in relation to your specific business’ obligations under the legislation, please do not hesitate to contact our offices
Phone: (08) 9481 6946
Email: admin@greenstonelegal.com.au.

Disclaimer: This guide contains general information only and is not exhaustive. This guide must not be relied upon as legal advice. Copyright Greenstone Legal 2019.