Back in March of this year, we first wrote about the newly legislated amendments to the Privacy Act to cover Notifiable Data Breaches, in an effort to reduce the potential damage to an individual should their personal information be unwillingly disclosed.
As of the 1st of January 2018, this legislation is now being enforced, and it is up to all organisations to protect the data and information they keep on their clients. Specifically though, non-compliance penalties of up to $1.8M for severe or repeated breaches will apply to:
- Businesses & Not-for-Profits with an annual turnover of more than $3M
- Health service providers, or holders of health information
- Credit reporting bodies
- Australian Government agencies
- Organisations which hold any individual’s Tax File Number
The Privacy Act requires that all personal and sensitive information must be protected and kept secure. This includes information such as: names, addresses, Tax File Numbers, credit card details, financial information, identification cards, Driver’s Licenses, next of kin details, medical history, etc.
A data breach, by definition, has occurred if any of this data is disclosed or accessed without prior authorisation, or is lost in any way. Whether this be due to a malicious hack, technological issue, or simply an unintended disclosure. If the loss of this information is likely to cause harm to those affected – i.e. through identity theft – then it becomes a Notifiable Data Breach and both the Australian Information Commissioner and the individuals affected must be notified within 30 days of becoming aware of the data breach.
The notification of the breach must include not only details of what information was leaked, but also provide an offer of assistance to those affected. For some organisations, this could be a very onerous task, so as always, an ounce of prevention is worth a pound of cure (why does this not sound as meaningful when translated into metric I wonder?), so if you are at all concerned about the current security of your IT environment and the possibility of a Notifiable Data Breach – be it internal or external – happening to you, then you should discuss this with the Altitude Innovations Team without delay.