Data Breaches and what to do about it

Any company that stores data for their clients, patients, or customers must check the regulations regarding privacy and notifiable data breaches.(NDB)

A  mandatory notification of data breaches  commences in February 2018, and the Office of the Australian Information Commissioner (OAIC) has put out three draft resources for public comment before  14 July 2017.

The statements are useful guidelines for companies bound by the Privacy Act.

The  resources deal with:

1. Identifying eligible data breaches;
2. Notifying individuals about an eligible data breach; and
3. The Australian Information Commissioner’s role in the NDB Scheme.

Identifying eligible data breaches

To check if an incident meets the threshold for  an eligible data breach, the guide gives  further clarity on the meaning of  “unauthorised access“, “unauthorised disclosure” and “loss” .

How an organisation  determines whether there is a “serious risk of harm” to an individual  as a consequence of the breach and what needs to be done to determine this, is based on what a “reasonable person” in the position of the entity would do, not  the particular individual. Close attention must be paid to the language of the Act and guide.

There are  some examples provided of remedial action  which may mitigate the “risk of serious harm”. The guides help an organisation assess these new obligationsin their circumstances.

Notifying individuals about an eligible data breach

The obligations to  notify all individuals of a breach, notify only those who are considered at “risk of serious harm” from it , and  where it is impractical to notify individuals, to publish notification, are covered by the guide.

The guide touches on the risks and benefits of different approaches and the relevant considerations for the three options.

The guide also provides one example of a data breach involving more than one organisation. This is an issue that is likely to be of concern for a business where there is more than one entity  in the service supply chain and contracts between them do not deal with how they will jointly deal with a data breach. An NDB can greatly affect both of their reputations.

 

Australian Information Commissioner’s role in the NDB Scheme

This brief guide gives background about the role of the Commissioner in terms of receiving notifications and enforcing compliance with the scheme. It also provides a  section describing  the powers that the Commissioner has including to make a declaration that notification need not be made or may be delayed.

Internal Controls, Testing and Audited Systems

 

It is very clear that data integrity and how we secure that data is going to be a far greater issue for all business and organisations that store data. Greater cost will be incurred to operate business as usual and to maintain normal procedures. It is critical to assess the strength of your organisation now and prepare the plan to respond to data breaches, especially those which may have consequences of a “serious risk of harm”. They say information is King and it has never been more true than in this new digital age. Ask us how to assess your compliance and prepare a risk audit.