On 22nd February 2018 mandatory data breach notification (Notifiable Data Breaches Scheme) obligations came into effect. This scheme, arising out of amendments to the Privacy Act 1988 (Cth), requires organisations to notify individuals whose personal information is involved in data breach and recommend the steps they should take in response to the breach. Therefore, as individuals and business owners it is vital to ensure that you understand your rights and responsibilities under this new scheme.
It’s easy to think that data breaches relate only to computer “hacking” situations or the like, but that’s not always the case. A data breach can occur simply from leaving confidential papers on your desk, not collecting your printed documents from the printer, losing your mobile phone, ipad or a USB or by misplacing a hard copy document.
Any business with a turnover greater than $3 million per annum is subject to the scheme and must have in place a documented Data Breach Response Plan which clearly sets out the procedures to be followed in the event that a data breach has, or has likely, occurred. The Plan should also be consistent with and complimentary to an organisation’s Privacy Policy.
A data breach occurs when personal information is lost or subjected to unauthorised access or disclosure. Personal information is that which identifies or is about an individual person. If the personal information is likely to result in serious harm, the Office of the Australian Information Commission (OAIC) must be notified as well as the individual affected.