Data Breaches and what to do about it
Any company that stores data for their clients, patients, or customers must check the regulations regarding privacy and notifiable data breaches.(NDB)
A mandatory notification of data breaches commences in February 2018, and the Office of the Australian Information Commissioner (OAIC) has put out three draft resources for public comment before 14 July 2017.
The statements are useful guidelines for companies bound by the Privacy Act.
The resources deal with:
- Identifying eligible data breaches;
- Notifying individuals about an eligible data breach; and
- The Australian Information Commissioner’s role in the NDB Scheme.
Identifying eligible data breaches
To check if an incident meets the threshold for an eligible data breach, the guide gives further clarity on the meaning of “unauthorised access“, “unauthorised disclosure” and “loss” .
How an organisation determines whether there is a “serious risk of harm” to an individual as a consequence of the breach and what needs to be done to determine this, is based on what a “reasonable person” in the position of the entity would do, not the particular individual. Close attention must be paid to the language of the Act and guide.
There are some examples provided of remedial action which may mitigate the “risk of serious harm”. The guides help an organisation assess these new obligationsin their circumstances.
Notifying individuals about an eligible data breach
The obligations to notify all individuals of a breach, notify only those who are considered at “risk of serious harm” from it , and where it is impractical to notify individuals, to publish notification, are covered by the guide.
The guide touches on the risks and benefits of different approaches and the relevant considerations for the three options.
The guide also provides one example of a data breach involving more than one organisation. This is an issue that is likely to be of concern for a business where there is more than one entity in the service supply chain and contracts between them do not deal with how they will jointly deal with a data breach. An NDB can greatly affect both of their reputations.
Australian Information Commissioner’s role in the NDB Scheme
This brief guide gives background about the role of the Commissioner in terms of receiving notifications and enforcing compliance with the scheme. It also provides a section describing the powers that the Commissioner has including to make a declaration that notification need not be made or may be delayed.
Internal Controls, Testing and Audited Systems
It is very clear that data integrity and how we secure that data is going to be a far greater issue for all business and organisations that store data. Greater cost will be incurred to operate business as usual and to maintain normal procedures. It is critical to assess the strength of your organisation now and prepare the plan to respond to data breaches, especially those which may have consequences of a “serious risk of harm”. They say information is King and it has never been more true than in this new digital age. Ask us how to assess your compliance and prepare a risk audit.