Data and Privacy: Are you prepared for the new laws commencing this week?

You will need to take extra care to safeguard the unauthorised access, loss or disclosure of personal information.

On 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) will take effect to introduce a new notifiable data breach scheme (NDB Scheme).

If you already have obligations under the Privacy Act 1988 (Cth) (Act) (including the Australian Privacy Principles (APPs)) to protect personal information, then the NDB Scheme will apply to you.

What are the new laws?

Under the NDB Scheme:

  1. if you experience a data breach that is likely to result in serious harm, you must notify the Australian Information Commissioner (Commissioner) and all affected individuals in relation to that data breach;

  2. if you suspect that you have experienced a data breach, you must quickly assess the situation to decide whether or not you have experienced a data breach that may require a notification;

  3. the Commissioner has wide powers to investigate compliance; and

  4. a failure to comply may result in fines of up to $2.1 million for corporations and $420,000 for other entities.

What should you do?

Generally, you need to ensure that you are complying with your existing obligations set out in the Act including by:

  • having a current and up-to-date privacy policy;

  • ensuring that you obtain all necessary consents, and that you make all relevant notifications, as required by the APPs; and

  • implementing personal information management systems, processes and procedures that comply with the requirements of the APPs.

Some specific tips that may assist you to comply with your obligations under the NDB Scheme include to:

  • review and update your privacy policy and personal information management systems, processes and procedures;

  • appoint a person (or team) to manage any incident response;

  • document a data breach response plan, including guidelines for making a notification; and

  • review your contractual arrangements where multiple parties handle personal information.

If you experience any data breach, or if you would like help to prepare compliance policies or any further information, please contact us.


The material in this article was correct at the time of publication and has been prepared for information purposes only. It should not be taken to be specific advice or be used in decision-making. All readers are advised to undertake their own research or to seek professional advice to keep abreast of any reforms and developments in the law. Brown Wright Stein Lawyers excludes all liability relating to relying on the information and ideas contained in this article.

contact

AnantBamara8898.jpg

Anant Bamra