Navigating Australia’s new data breach notification laws
Published in: February 2018
Thousands of Australian small-to-medium-sized enterprises (SMEs) might not be adequately prepared for the Federal Government’s notifiable data breaches scheme (NDBS) that starts on 22 February.
NDBS directly affects businesses or charities with annual turnovers of more than $3 million but extends to a broader range of organisations and professionals in specific fields, for example, financial advisers, doctors, dentists, child care centres and private schools.
Many SMEs not specifically subject to NDBS because of the turnover threshold might need data protection and breach notification procedures simply because they deal with larger businesses and organisations, including all Commonwealth entities.
SMEs cannot assume they are too small to fall within the NDBS and must be prepared.
Procedural and routine changes introduced by SMEs’ larger service providers or their clients could affected them. Service providers could be hacked or accidently release confidential information, inadvertently impacting their SME clients’ data.
SME owners and compliance officers should investigate NDBS requirements before 22 February to ensure they do not get into strife if their information is breached.
What is NDBS?
The Privacy Amendment (Notifiable Data Breaches) Act 2017 has been attached to the Australian Privacy Act 1988 and requires relevant agencies and organisations to report to the Office of the Australian Information Commissioner (OAIC) when customer or other private information has been stolen or inadvertently released.
It is mandatory for affected businesses to report breaches to OAIC and notify those whose personal information has been released or stolen if “it is likely to result in serious harm”.
Formal breach notices must include recommendations on how to manage the breach and actions taken to help those affected.
Data containing personal information that could lead to clients being identified or having their identities stolen is an eligible breach. Data includes names, addresses, phone numbers, dates of birth, tax file numbers, medical records, bank account details and, in some cases, opinions.
Individuals who fail to report breaches face penalties of up to $360,000 and, for organisations, $1.8 million.
SMEs bound by NDBS include, but are not limited to:
· entities that provide health services, including private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals; naturopaths and chiropractors; gyms and weight loss clinics; and child care centres and private schools
· smaller entities related to larger organisations covered by NDBS obligations
· credit providers, such as banks, building societies, finance companies or credit unions; retailers that issues credit with sales of goods or services; organisations that defer goods or services payments for seven days or more; and some hiring, leasing and rental businesses
· entities that trade in personal information, including those that disclose personal information about individuals to anyone else for a benefit, service or advantage; or provide a benefit, service or advantage to collect personal information about other individuals from anyone else
· employee associations registered under the Fair Work (Registered Organisations) Act 2009
· organisations providing services to Commonwealth entities under contracts
· those operating residential tenancy databases
· entities that ‘opt-in’ to the Privacy Act’s principles.
How do SMEs know if they’re affected?
OAIC has a range of information and NDBS checklists on its website, including specific information to help SME business owners determine their obligations. SMEs should research NDBS requirements before 22 February or seek advice from OAIC.
Contact Eddy Neumann Lawyers on (02) 9264 9933 or