A new dawn has arrived in Australia in relation to data security breaches.
Government organisations, businesses and consumer groups are required to work together in transitioning to the Privacy Amendment (Notifiable Data Breaches) Bill 2016 which establishes a mandatory data breach notification scheme in Australia and aims to strengthen community trust in businesses and agencies.
This bill is applicable if your organisation meets any of the following criteria:
Australian Government agencies (governed by Office of the Australian Information Commissioner)
Businesses and not-for-profit organisations with an annual turnover of more than $3 million.
For Business with annual turnover less than 3 million but involved as:
Private sector health services providers (even alternative medicine practices, gyms and weight loss clinics fall under this category)
Child care centres, private schools and private tertiary educational institutions.
Businesses that sell or purchase personal information along with credit reporting bodies.
Irrespective of applicability this is an opportunity to review how your organisation manages and protects its data, and better prepare yourself for managing a data breach when it occurs.
The Bill will now be presented to the Governor-General and its key provisions will come into operation on a date fixed by proclamation or 12 months after assent.
A civil penalty for serious or repeated interferences with the privacy of an individual will be issued by the Federal Court or Federal Circuit Court of Australia following an application by the [Privacy] Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.
Step 1: Before collecting Private Information consider
What personal information is necessary to collect?
How long does the personal information need to be kept?
Step 2: Put reasonable controls to secure above information
Risk assessment – Identify the security risks to personal information held by the organisation and the consequences of a breach of security.
Policy development – Develop a policy or range of policies that implement measures, practices and procedures to reduce the identified risks to information security.
Staff training – Train staff and managers in security and fraud awareness, practices and procedures and codes of conduct.
Technology – Implement privacy enhancing technologies such as access control, copy protection, intrusion detection, and robust encryption.
Monitoring and review – Monitor compliance with the organisation’s security policy
Define appropriate contract management processes with external IT Vendors
1. Contain the breach and make a preliminary assessment
Take immediate steps to contain breach
Designate person/team to coordinate response
2. Consider breach notification
Risk analysis on a case-by-case basis
Not all breaches necessarily warrant notification
3. Evaluate the risks for individuals associated with the breach
Consider what personal information is involved
Determine whether the context of the information is important
Establish the cause and extent of the breach
Identify what is the risk of harm
4. Review the incident and take action to prevent future breaches
Fully investigate the cause of the breach
Consider developing a prevention plan
Option of audit to ensure plan implemented
Update security/ response plan
Make appropriate changes to policies and procedures
If you would like to find out more on cyber security and ways in which you can protect your data, please contact you ShineWing Australia relationship partner on the details below.
Partner, Assurance and IT Advisory Services
T +61 3 8635 1800
Senior Manager, Assurance and IT Advisory Services
T +61 3 8779 6517