Privacy Laws and Data Breaches: What HR Needs to Know
Deepti Wadhwa, senior associate, Australian Business Lawyers & Advisors, provides information on what HR professionals in Australia should know about the GDPR. These are all terms you’ve probably been hearing a lot about recently. But what do they mean? How do they apply to your business? And why should you care?
The notifiable data breach scheme
Did you know that as of 22 February 2018, organisations covered by the Privacy Act must notify the Office of Information Commissioner (OAIC)
and affected individuals if the organisation has suffered a serious data breach? Set out below are the criteria you should be aware of to determine how the new scheme affects your organisation:
|Are you covered by the Privacy Act?
||Private sector organisations that generate annual turnover of $3 million or more annually are covered by the Act. In addition, some prescribed categories of organisations are covered regardless of their turnover (e.g. health service providers). Organisations can also (and are often encouraged to) opt-in to the Privacy Act.
|What kinds of data are at play?
||The Privacy Act covers several different types of information, however it most relevantly covers ‘personal information’ - this is information or an opinion (true or not) about an identified or reasonably identifiable individual, whether or not the information or opinion is recorded.
|What constitutes an eligible data breach requiring notification?
||The new laws introduce the concept of an ‘eligible data breach’ – this is where there has been unauthorised access to or disclosure of, or loss of, personal information that is likely to result in serious harm to any individual affected.
|What steps must you take if you identify a serious data breach?
||Whether a data breach is likely to cause serious harm should be determined on a case-by-case basis. Time is of the essence in making this determination.
If an eligible data breach is identified then the organisation must prepare a statement relating to the breach which must then be given to the OAIC, and its contents also notified to the affected individuals (personally or via publication).
|What happens if you don’t comply with the new law?
||Individuals can face penalties of up to $420,000, while companies can face penalties of up to $2.1 million. These are big figures!
What steps can your organisation take to ensure compliance with the new Scheme?
No organisation is immune to data breaches, but there are plenty of measures you can take to ensure your organisation is ready to act when and if a data breach occurs. You should:
- Conduct a privacy audit to understand the ins-and-outs of how your organisation deals with data.
- Update your privacy documents so that they include reference to the new scheme.
- Prepare a Data Breach Response Plan to ensure that you have an effective and legally-compliant action plan for responding to data breaches.
- Review the terms of your agreements with third party suppliers/data hosts. As much as possible, your organisation should retain ownership of the data breach response process.
In a digital age it is very easy for you to lose sight of the management of important data. By undertaking the steps above you will be leading your organisation in the right direction in your data management and ensuring compliance with the new scheme.