Published in BD Mag, Issue 5, June-July 2018, available here.
The Notifiable Data Breaches Amendment (NDB) is new legislation that is holding business liable for personal data protection.
As of 22 February this year, the NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act). This new scheme means that businesses are now obliged to have procedures in place to ensure that they are prepared to conduct a reasonable and expeditious assessment of any suspected data breaches to determine if any are likely to result in serious harm, and as a result require notification.
The NDB, provides a framework for meeting expectations for accountability and transparency in data breach prevention and management, which for businesses is key to maintaining and building consumer and community trust.
Companies must not only prove that they are taking reasonable steps to ensure compliance but ensure that they adhere to the 30-day window allowed to notify the Office of the Australian Information Commissioner (OAIC) if a breach occurs and details of the information that has been affected. Both key elements must be met, or entities could face fines of up to $1.8million.
Strong data management is an integral cog in the successful, and secure, operation of businesses worldwide with data analysis playing a vital role for businesses to identify opportunities and enable a closer understanding of their business, market and its requirements.
Data has proved a powerful fuel to ignite innovation that can benefit business and our community in unprecedented ways, but it comes with great trust. The trust that your business will protect their privacy and personal details.
It is crucial for Townsville businesses to understand that compliance is mandatory. This includes both taking reasonable steps and providing timely notification of all data breaches.
A breach involving the loss or disclosure of acquired personal information can put affected individuals at risk of serious harm and consequently damage your business reputation as a data custodian.
Being prepared for a data breach is vital for all organisations that handle personal information. A quick and effective response can effectively reduce or remove the risk of harm to individuals, aligning with legislative requirements and community expectations.
“A notifiable data breach can be as simple as losing a phone or USB with company information on it, to a cyberattack on your central database,” explains ADITS Managing Director, Ashley Darwen. “It is crucial for Townsville businesses to understand that compliance is mandatory. This includes both taking reasonable steps and providing timely notification of all data breaches.”
Examples of data breaches can include loss or theft of technical devices or physical records that contain personal information, unauthorised access to personal information by an employee, ‘human error’ which results in inadvertent disclosure of personal information occurs or inadequate identity verification procedures resulting in disclosure of an individual’s personal information to an unauthorised person.
Data breaches can result in significant loss, damage or harm in multiple ways such as fraud, identity theft, violence and intimidation for the person/s effected as well as potential consequences by negatively impacting an entity’s reputation for privacy protection.
Ashley explains that it is now more important than ever to manage this process and suggests that businesses undertake “a full review process to implement the new reasonable steps required to ensure businesses are compliant and their data is protected.”