Don’t be like the Commonwealth Bank, you can no longer hide data breaches of your customers. The new data breach laws in Australia basically rule that local businesses are obliged to disclose data breaches when they happen, whether there is a serious consequence or not of the information being misused.
What are the objectives of the new data breach laws?
The objectives of the new data breach laws in Australia are to make sure that an “eligible data breach” is reported to the Office of the Australian Information Commissioner. This data can be comprised of personal information, credit eligibility information, credit reporting information, as well as tax file number information. An affected entity has to report the incident to the Office of the Australian Information Commissioner and to inform the affected party in maximum 30 days from the date it became aware of the data breach.
Who do the new data breach laws in Australia apply to?
The new data breach laws in Australia apply to government agencies, companies and non-profit organizations ruled by the Privacy Act 1988 and which have a yearly turnover in excess of $3 million, with certain exceptions.
There are some companies that are ruled by the Privacy Act 1988, however which have a yearly turnover of less than $3 million. The new data breach laws apply to them, as well. These companies can be:
- Child care centers, private tertiary educational institutions or private schools;
- Companies which market or buy personal data, consumer credit reporting data, credit providers and tax file numbers or other third parties;
- Customary health service providers, e.g.: private hospitals, medical practitioners, pharmacists or allied health professionals;
- Complementary therapists, e.g.: chiropractors or naturopaths;
- Weight-loss clinics and gyms.
How to prepare for the new data breach laws in Australia?
The new data breach laws require companies to have stricter regulations related to cyber security, which should become a number one priority in all organizations.
Therefore, all companies which fall under the incidence of the new data breach laws in Australia should take urgent measures, such as:
- Revise the data collection policies and practices, the internal information handling and data-breach strategies to comply with the new requirements and make sure that personal data are registered and collected only when necessary;
- Audit how they are keeping information and if they are registered by third parties on their behalf;
- Improve the cybersecurity defences, which implies reviewing the cybersecurity practices and strategies to avoid data breaches;
- Also, companies should prepare by making sure that their data breach response plans are updated and operative, as well as by ensuring they have external and internal contacts which are able to respond promptly in case of a breach.
In case you need to know more about the new data breach laws, or for any type of legal advice, we invite you to get in touch with us.