Privacy laws and data breaches: what HR needs to know

No organisation is immune to data breaches, but there are plenty of measures you can take to improve secuirty

Privacy laws and data breaches: what HR needs to know

Privacy laws. Data breaches. General data protection.

These are all terms you’ve probably been hearing a lot about recently. But what do they mean? How do they apply to your business? And why should you care?

The notifiable data breach scheme
Did you know that as of 22 February 2018, organisations covered by the Privacy Act must notify the Office of Information Commissioner (OAIC) and affected individuals if the organisation has suffered a serious data breach? Set out below are the criteria you should be aware of to determine how the new scheme affects your organisation:

Are you covered by the Privacy Act?

Private sector organisations that generate annual turnover of $3 million or more annually are covered by the Act. In addition, some prescribed categories of organisations are covered regardless of their turnover (e.g. health service providers). Organisations can also (and are often encouraged to) opt-in to the Privacy Act.

 

What kinds of data are at play?

The Privacy Act covers several different types of information, however it most relevantly covers ‘personal information’ - this is information or an opinion (true or not) about an identified or reasonably identifiable individual, whether or not the information or opinion is recorded.

 

What constitutes an eligible data breach requiring notification?

The new laws introduce the concept of an ‘eligible data breach’ – this is where there has been unauthorised access to or disclosure of, or loss of, personal information that is likely to result in serious harm to any individual affected.

 

What steps must you take if you identify a serious data breach?

Whether a data breach is likely to cause serious harm should be determined on a case-by-case basis.  Time is of the essence in making this determination.

 

If an eligible data breach is identified then the organisation must prepare a statement relating to the breach which must then be given to the OAIC, and its contents also notified to the affected individuals (personally or via publication).

 

What happens if you don’t comply with the new law?

Individuals can face penalties of up to $420,000, while companies can face penalties of up to $2.1 million. These are big figures!

 

What steps can your organisation take to ensure compliance with the new Scheme?
No organisation is immune to data breaches, but there are plenty of measures you can take to ensure your organisation is ready to act when and if a data breach occurs. You should:
  1. Conduct a privacy audit to understand the ins-and-outs of how your organisation deals with data.
  2. Update your privacy documents so that they include reference to the new scheme.
  3. Prepare a Data Breach Response Plan to ensure that you have an effective and legally-compliant action plan for responding to data breaches.
  4. Review the terms of your agreements with third party suppliers/data hosts. As much as possible, your organisation should retain ownership of the data breach response process.   

In a digital age it is very easy for you to lose sight of the management of important data. By undertaking the steps above you will be leading your organisation in the right direction in your data management and ensuring compliance with the new scheme.  

Do you do business in the EU? If so - watch out!
Data protection is not just a hot topic in Australia. The European General Data Protection Regulation is a complete review of data protection in the EU. This comes into effect on 25 May 2018. This new law will apply to businesses that:
  • have an establishment in the EU (regardless of whether they process personal data in the EU); or
  • do not have an establishment in the EU, but do offer goods and/or services in the EU or monitor the behaviour of individuals in the EU.

If your business meets either of the criteria above, it is important that you receive tailored advice on the incoming laws and how this will effect your business dealings in the EU.

Contact Deepti on 1300 565 846 if you would like any assistance in respect of the subject matter of this article.   

Deepti Wadhwa, senior associate, Australian Business Lawyers & Advisors.