Skip to main content

New Australian Data Breach Privacy Laws

Feb 28, 2018

The following article was supplied by AIMS – a governing insurance body to which AustBrokers Comsure is a member of.

The Brand New Australian Data Breach Privacy Laws – What it means and what you need to consider.

In December 2017, the Australian Parliament enacted the Privacy Amendment (Notifiable Data Breaches) Bill 2017. The following is an update to recap on this new law and to provide more practical recommendations on steps that should be considered to alleviate any data breaches under the new law.

Who does it affect?

The meaning set out in the new law includes; (1) all businesses and non-government organisations with an annual turnover greater than $3 million, (2) all health service providers and, (3) a limited range of small businesses with turnover less than $3 million including:

  • Businesses that sell or purchase personal information along with credit reporting bodies,
  • Child care centres, private schools and private tertiary educational activities,
  • Individuals who handle personal information for a living including those who handle credit reporting information, tax file numbers and health records,
  • Private sector health service providers including alternative medicine practices, gyms and weight loss clinics.

When does it start?

The new law has taken effect on the 22 February 2018.

What is a data breach?

Data breaches occur in a number of ways including:

  • Lost or stolen laptops, removable storage devices, or paper records containing personal information.
  • Hard disk drives and other digital storage media (integrated in other devices eg: multifunction printers) being disposed of or returned to equipment lessors without the contents first being erased.
  • Databases containing personal information being hacked into or illegally accessed by individuals outside of the organisation or business.
  • Employees accessing or disclosing personal information outside the requirements or authorisation of their employment.
  • Paper records stolen from insecure recycling or garbage bins.
  • The organisation or business mistakenly providing personal information to the wrong person.
  • An individual deceiving the organisation or business into improperly releasing personal information of another person.

The new Act will require notification of “eligible data breaches”. These are defined as data breaches, including data loss incidents, where a “reasonable” person would conclude that the breach would be likely to result in serious harm to any of the affected individuals. Serious harm could include physical, psychological, emotional, financial and reputation harm.

The serious harm test does not require the harm to be suffered by all affected individuals – this must be assessed on a case by case basis. The test is satisfied if any individual whose information has been breached would suffer the harm. There are no prescribed triggers for notification in the legislation such as a threshold number of affected individuals.

Who do you have to notify?

The organisation must:

  1. Carry out a reasonable and expeditious assessment as to whether there has been an eligible data breach within 30 days of becoming aware
  2. Notify affected individuals as soon as practicable containing information including:
  • The identity of the organisation,
  • The description of the breach,
  • The kind of information concerned and,
  • Recommendations to the individual as to steps they should take protect themselves as a result of the breach.

What are the penalties?

Penalties per non-disclosure range from $360,000 for individuals to $1.8 million for an organisation or business.

What Must I do NOW?

Apart from facing monetary fines for breaching the Act, customer and reputational damage can be equally if not more harmful. We recommend organisations be prepared and adopt these recommendations now that the new data breach laws have taken effect. These include:

  • Train all employees in security and fraud awareness, practices and procedures and codes of conduct.
  • Appoint an individual who is best placed to evaluate the likely harm of a data breach and whether there is a risk of serious harm.
  • Develop internal guidance, policies and procedures to define what constitutes serious harm in the context of your business.
  • Implement privacy enhancing technologies to secure personal information including measures such as access control, copy protection, intrusion detection and robust encryption.
  • Develop and test a data breach plan (or update your existing plan) – being pro-active about information security will put you in a better position to remediate harm.
  • Monitor your data breach plan including undertaking periodic assessments against relevant Australian Standards as a guide.
  • Review contracts with service providers to ensure they contain privacy and data breach notification obligations on the service provider to ensure they comply with your obligations.
  • Prepare a communication plan to publicise a notification and regularly test this to ensure it remains robust.
  • Consider taking out a Cyber Insurance Policy – find more information here.

Further Investigation:

We recommend taking a look at the following Australian Government website, which explains the new legislation in more detail.

The Office of the Australian Information Commissioner held a webinar recently that focused on the obligations of the Notifiable Data Breach Scheme and illustrated how the requirements will work in practice with case study examples. If you missed the webinar, find the presentation here.

What to do next?

Speak to AustBrokers Comsure regarding Cyber Liability Insurance. There are serious implications for those that don’t have the right insurance cover, or the lack of Cyber Insurance cover all together.  Phone us on 1800 122 194 and speak to one of our qualified Insurance Advisers.

More Blog

Mar 31, 2022

AB Comsure welcomes a new Graduate Program!

Mar 31, 2022

The Importance of understanding “Underinsurance”

Mar 31, 2022

How to protect you and/or your business from 98%* of Cyber Attacks

Mar 31, 2022

SE-QLD & NSW Extreme Weather Event Update

Feb 28, 2022

Supporting our Customers affected by the East Coast Severe Weather Event

Dec 22, 2021

Merry Christmas from Austbrokers Comsure!

Dec 22, 2021

Log4j – Your Systems could be at risk!

Dec 15, 2021

7 Common Christmas Scams to avoid.

Dec 15, 2021

Are you ready for Storm Season?