An entity that is required to comply with the Privacy Act 1988 must take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This extends to situations where an entity engages a third party to store, maintain or process personal information on its behalf.
In February of this year the Commonwealth government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which will amend the Privacy Act, making it mandatory for companies and organisations to report “eligible data breaches” to the Office of the Australian Information Commissioner (OAIC) and any affected, at-risk individuals.
Does the Privacy Act apply to my organisation?
Australian Government agencies and all businesses and not-for-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions.
Some small business operators (organisations with a turnover of $3 million or less) are covered by the Privacy Act including:
- private sector health service providers. Organisations providing a health service include:
- traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professional
- complementary therapists, such as naturopaths and chiropractor
- gyms and weight loss clinic
- child care centres, private schools and private tertiary educational institutions.
- businesses that sell or purchase personal information
- credit reporting bodies
More information about responsibilities under the Privacy Act can be found here.
What are reasonable steps?
The reasonable steps entities should take to ensure the security of personal information will depend on the circumstances, including the following:
- the nature of the entity holding the personal information
- the amount and sensitivity of the personal information held
- the possible adverse consequences for an individual
- the information handling practices of the entity holding the information
- the practicability of implementing the security measure, including the time and cost involved
- whether a security measure is itself privacy invasive.
Guidance from the OAIC on what "reasonable steps" are may be found here.
Reasonable steps would include:
- Performing or conducting Privacy Impact Assessments (PIA)
- Implementing Privacy by design principles
- Performing information security risk assessments
- Having a comprehensive and up to date set of information security policies
- Restricting physical and logical access to personal information on a "need-to-know" basis
- Keeping your software up to date and current
- Employing multi factor authentication
- Configuring your systems for security
- Employing end point security software
- Security monitoring tools to detect breaches
- Using network security tools
- Penetration testing exercises
- Vulnerability assessments
- Having a data breach response process
What is mandatory data breach notification?
Mandatory data breach notification is a legal requirement designed to protect the individuals affected by a data breach so that they may take the necessary steps and measures to protect themselves from any harm or damage. Notifying affected individuals is good privacy practice, as it gives each person the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency and openness.
The mandatory data breach notification scheme being introduced will require entities to promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an "eligible data breach".
When has an eligible data breach occurred?
An eligible data breach occurs when: