Should all businesses adopt the mandatory data breach reporting scheme as best practice?

markus-spiske-207946-unsplash - computer code.jpg

Most businesses will be aware of the recent changes to the Privacy Act 1988 which has seen the introduction of the new mandatory data breach notification scheme.

An outline of which businesses must comply with the scheme and what constitutes a reportable data breach are detailed further below.  However, an interesting question is, should all businesses adopt measures for compliance with the scheme? There is a strong argument that they should.

Almost all businesses use individual’s personal information in some form, such as customer loyalty programs or e-commerce. The online and cloud nature of modern business means all data and information is trackable and open to breaches, be that by human error or security breach.

Dealing with personal information doesn’t automatically mean a business must comply with the new scheme or that all breaches need reporting. The reporting component of the scheme is intended to deal with unauthorised access, disclosure or loss which may cause “serious harm” to individuals to whom such information relates.

The question for businesses is, what harm could be done to their businesses from a data breach? 

With a national framework established by the scheme, businesses serious about operating as best practice should consider adopting processes and procedures for compliance with the scheme as part of their internal reporting. This will allow businesses to proactively manage the capture and use of personal information.  It will give early warning of potential data breaches, which even if not externally reportable under the new scheme, could still prove costly to business through loss of customer confidence, interruption to business and reputational loss.

Mandatory Data Breach Notification Scheme

On 22 February 2018, a new mandatory data breach notification scheme came into effect. 

Businesses that have an annual turnover of greater than $3million, certain government agencies and smaller organisations handling sensitive information are required to comply with the Privacy Act 1988 (Cth) (The Act). 

The Act sets out requirements for the management of “personal information” including the collection, use, storage, security, disclosure and destruction.  Personal information is broadly defined to include “information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not or is recorded in material form or not”.  Businesses should implement and maintain certain policies and procedures to ensure compliance with its privacy requirements.  This includes, a compliant Privacy Policy.

The new scheme requires businesses to be pro-active where there has been an “eligible data breach”. An eligible data breach is unauthorised access to, disclosure of or loss of personal information, or where information is lost in circumstances where unauthorised access or disclosure is likely to occur, and the access, disclosure or loss is likely to result in “serious harm” to any of the individuals to whom the information relates to.   Businesses need to have in place processes for dealing with and managing a eligible data breach, including having a data breach notification response plan. 

Penny Brereton