A handy reference guide – Data Breach reporting and how it may affect you!


BACK

A handy reference guide – Data Breach reporting and how it may affect you!

Leading up to the introduction of the data breach laws, we gathered information that we found useful and have shared it with you as it may also be useful for you or someone you know.  Read more about what it is, who it affects and how to report data breaches. 

What it is?
On 11 February 2018, new data breach laws came into place (via the Privacy Act 1998)  which compel organisations to report data breaches to the Office of the Australian Information Commissioner (“OAIC”).

A data breach is when personal information which can lead to serious harm is disclosed or accessible to another party and cannot be prevented by remedial action. While this may seem like it is designed for unauthorised data access, the same laws also apply when information that could be used for identity theft is accidentally sent to a wrong address, so please bear in mind the medium of information is not the issue at hand.

For more: https:// www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/identifying-eligible-data-breaches#eligible-data-breach

Who it affects?
If your organisation has an annual turnover of more than $3 million, or is a private sector health service provider, credit reporting body, credit provider, an entity that trades in personal information or tax file number recipients you must report data breaches. Between the wide scope of the entities listed and best commercial practice, it may be prudent to develop a reporting system for yourself in case of a data breach.

For more: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/entities-covered-by-the-ndb-scheme

There are some exceptions, but they are unlikely to apply to data breaches from a commercial entity outside the health sector (which has a separate reporting scheme).

Where breaches are suffered by more than one entity, they need only be reported once. As a general rule, OAIC suggests that the disclosure be made by the party dealing directly with the party affected by the data breach.

For more: https:// www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response#data-breaches-involving-more-than-one-entity

How to report?
To report a data breach, you must notify the affected party and lodge a notify the OAIC. The OAIC has an online form for this purpose.

For more: https:// www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response#what-to-include-in-an-eligible-data-breach-statement

These laws are designed around breaches of security of personal information, such as dates of birth and TFNs and so do not apply to business information. Also, the OAIC recommends you attempt to remedy the data breach wherever possible and require data breaches to be reported within 30 days of discovering the data breach.

As a matter of good practice, you may wish to consider advising about breaches of business information as well as personal information. The OAIC also recommends that breaches are reported before the 30 day limit. Most accounting firms will be affected by this reporting regime as they are TFN recipients, however small law firms may not be affected. Overseas bodies operating in Australia are also covered by the reporting regime.

Some further resources that may also be helpful or interesting:

ACORN – https://www.acorn.gov.au/ – Australian Cybercrime Online Reporting Network

IDCARE – https://www.idcare.org/ – A charity that assist individuals with identity and cyber security. Supported by the Australian government and increasingly insurers.