This is a security alert that should not be ignored!
Mandatory data breach notification laws will soon commence in Australia[1]. The new laws will affect federal government agencies and organisations (with an annual turnover of more than $3 million), who will be required to notify an ‘eligible data breach’ to:
An ‘eligible data breach’ arises where:
‘Serious harm’ may include:
If there are reasonable grounds to suspect an eligible data breach, an organisation must:
If an eligible data breach has occurred, the organisation must, as soon as practicable, notify the Australian Information Commissioner and the affected individuals.
If there is an eligible data breach, the organisation should take remedial action before the unauthorised access or disclosure of personal information results in serious harm to the affected individuals. If so, then it will not be required to notify the affected individuals. That’s a handy ‘get out of jail card’.
Failure to comply with the notification requirements under the new laws could mean:
Organisations should now take the following steps in pursuit of compliance with the new laws:
1. Update existing privacy policy.
2. Create or update the data breach response plan, which should:
a. appoint employees and external experts (eg IT providers and lawyers) responsible for managing data breaches; and
b. outline procedures for identifying, investigating and managing data breaches and notifications.
3. Train staff to ensure they are aware of, and can respond to, data breaches.
4. Review existing contracts with services providers to ensure compliance with the new laws.
If you need help complying with the new data breach notification laws before they come into effect, you should seek advice from Bespoke’s privacy lawyers.
[1] Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth).
[2] Explanatory Memorandum to Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth).
Privacy: a new broom sweeps across borders
Counting the cost of outsourcing (part 1)
Counting the cost of outsourcing (part 2)
Posted on: 13 March 2017