PRIVATE - keep out! - wespokelaw

It is easy to forget the little things when you delegate your responsibilities, especially if your delegates are the ‘experts’. However, some seemingly ‘small’ responsibilities can be very costly to neglect.

With the impending implementation of Australia’s mandatory data breach notification law on 22 February 2018, it is time to reassess the little things and take responsibility for handling personal information (whether digital or not).

It is no excuse, under Australian privacy law, to say that your business engaged the services of another entity responsible for managing your data storage mechanisms and protection systems.^[1]

So who is responsible for compliance under the Privacy Act 1988 (Cth)?

Not only the big businesses.

If your business:

is engaged in the buying, exchanging or selling of personal information;
is a health service provider of any kind, ^[2] including gyms, aged care centres and schools;
has a turnover of over $3m per year;
is part of a federal government agency; or
is part of a credit reporting agency,

you will need to comply with the Privacy Act.^[3]

The tech people said they’d take care of it.

Instances of hacking, accidental data leaks and ransomware events are on the rise, and no matter how advanced the tech systems, often the ‘hackers’ are one step ahead. 2017 saw the events such as:

‘WannaCry’ ransomware attacks which crippled computer systems in hospitals, major companies and government offices in 99 countries;
Deloitte’s data breach cyber-attack; and
Australian Red Cross’ privacy breach.

The extensive media coverage and public relations disasters from these events illustrate how important it is for businesses to consider what they should do both before and after the event, rather than mere reliance on third party services. Importantly, there is a legal requirement to do so as well.

What it means to comply

One aspect to ensuring your business complies with privacy laws is the manner in which obligations are documented in a service agreement with a third party service provider. However, it may not be possible to fully encompass some of the mandatory data breach notification scheme obligations in these agreements.

It is therefore imperative that, before 22 February 2018, businesses:

review their privacy policies;
create a data breach response plan; and
review their contracts with third party service providers.

One of our privacy experts at Bespoke would be happy to discuss the ‘eligible data breach’ and the mandatory data breach notification scheme with you in more detail.

^[1]Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) sections 26WB, 26WE, 26WH, 26WL, 26WR; ‘Who should notify?’ (August 2014) Office of the Australian Information Officer.
^[2]Privacy Act 1988 (Cth) section 6FB.
^[3]Privacy Act 1988 (Cth) sections 6C and 6D(4).

^{Security alert: mandatory data breach laws.}
^{Privacy: a new broom sweeps across borders.}
^{Privacy cleared for take off.}