Tips
Bec Newman
GDPR and your data's end-of-life
GDPR and your data's end-of-life
Opinion
Bec Newman
GDPR: The lay of the land
GDPR: The lay of the land
Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: Tips for best practices
Opinion, Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: How data destruction helps with compliance
Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: Eligible data breaches

Tips

GDPR and your data's end-of-life

Why is data destruction important under the GDPR?

The General Data Protection Regulation (GDPR) will come into force on 25th May 2018, and is changing the way organisations handle customers’ personal data at every stage of business. The new legislation means that destruction of unused data is more vital to businesses than ever before; it is the law. In order to comply with the strict standards of the new legislation, all businesses will need to make correct data destruction a part of their security strategy and practice by the time the GDPR is introduced.

AdobeStock_196917685_lower res.jpeg

The GDPR will replace existing legislation and will impose heavy fines for data breaches (up to 20 million Euros or 4% of a company’s annual global turnover). Though the GDPR is an EU regulation, every organisation that conducts business with EU data subjects is required to comply. The severity of the consequences and the global impact of this change mean it is in the immediate best interest of every business to integrate seamless data handling processes throughout their security framework. This is especially true when it comes to end-of-life data destruction.

While the security of live and in-use data is certainly felt to be a high priority by many businesses, end-of-life data security often slips through the cracks. However, information that is no longer of use to a business still retains its sensitive nature and therefore poses an unnecessary breach risk. Examples include past customers’ contact information, names, historical records, and financial information. Lengthy storage or incorrect disposal of these end-of-life data creates risk of accidental loss, theft, and intentional misuse by external parties. Under the GDPR, individuals will also have the right to request the destruction of their own data, so correct destruction is likely to be at the forefront of public consciousness.

Disposing of data correctly, immediately after it is no longer relevant or necessary to conduct business, minimises an organisations’ risk of a data breach by reducing the amount of stored information. It also prevents end-of-life data from being stolen or misplaced after use, and falling into the hands of potentially negligent or malicious parties either inside or outside the organisation.

How can AVTEL Data Destruction help?  

Though several options exist for data destruction, not every method ensures safety and total compliance with the GDPR. The unique milling method offered by AVTEL Data Destruction is the only process that can completely ensure that the data-holding devices and the information that they contain are destroyed safely and permanently.

By milling the data-holding device into particles smaller than 9mm, AVTEL Data Destruction's process ensures a level of safety that exceeds every other technique available today. This market-leading technology is completely mobile, mitigating the risks posed by the transportation and handling of sensitive personal data. The on-site destruction is completely safe for every individual involved in the process. Physical elements of the eradicated hard drives are carefully disposed of in the most environmentally sound method available, going beyond the typical standard of many destruction providers, which often creates unnecessary risks for people and the environment.

Most importantly, the AVTEL Data Destruction process is able to be audited from start to finish, with CCTV and digital imaging software ensuring complete compliance and auditability. Under the GDPR, traceability, and proof of conduct will become increasingly important in the process of protecting customer data, and therefore protecting businesses from a breach, and will be required of all organisations that hold sensitive personal data. With AVTEL Data Destruction, organisations can be sure that not only is their data destroyed permanently and safely, but also that it will stand up to the strict standards that will be necessary under the impending changes of the GDPR.

 

This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.

 

Privacy Amendment (Notifiable Data Breaches) Act 2017: Tips for best practices

This is the final part in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia today, 22nd February 2018. Click here to read the rest of the series.

Over the last 5 weeks, we’ve discussed the NDB Act in detail, covering the basics, what qualifies as a breach under the scheme, penalties, implications, and our thoughts on the NDB Act. This week, we look closer at how you can best prepare your business for the new legislation.

AdobeStock_187037812.jpeg

Best practice for compliance

In the face of the changes to privacy law this month, every Australian business needs to inspect and assess the standard of their data protection practices. Organisations should be reviewing and renewing their data handling policies, retraining staff, rewriting data breach response plans, and elevating data security to boardroom level. The steps in this post act as a guide to help businesses properly assess their protection practices. This list is not exhaustive, but is a solid starting point for businesses preparing for the NDB Act to come into effect.

1. Policies

  • Conduct a Privacy Impact Assessment (PIA) or an assessment of information security risk. The OAIC website can help you to determine if you require a PIA or an information security risk assessment.
  • Redraft data protection and security policies and standards relating to data collection, data residency and retention, and data destruction.
  • Review agency agreements and candidate policies, outsourcing agreements, and third party contracts.

2. Staff

  • Involve senior management in the digital security process.
  • Consider appointing a steering committee to ensure your practices will stand up to the new legislation.
  • Consider appointing a dedicated data protection officer.
  • Educate your staff on good cyber-security workplace habits.
  • Review the code of conduct for all employees.
  • Ensure your staff complies with strict policies regarding sensitive data.
  • Ensure all contractors and suppliers with access to personal information comply with your policies.

3. Practice

  • Equip all hard drives with digital security safeguards and software.
  • Keep all programs updated and patched.
  • Ensure that your information handling practices include privacy protection measures.
  • Work with a reputable data destruction company to dispose of digital copies of personal information safely and permanently.

4. Response procedures

  • Install appropriate monitoring and alarm systems so that immediate action can be taken in the case of a breach.
  • Introduce a data breach response plan that includes reporting to the Office of the Australian Information Commissioner.
  • Consider insurance as a means of covering losses in the case of an eligible data breach.

The correct policy, practice, education, and response procedures will minimise the risk of experiencing a data breach. At the same time, these steps will help your business fulfil the legal requirements of the Privacy Act 1988 and the Privacy Amendment (Notifiable Data Breaches) Act 2017. By employing best practice and keeping all your procedures up to date, you will safeguard yourself, your reputation, and your customers against the potential risks of an eligible data breach.

 

For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.

 

This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.

 
,

Privacy Amendment (Notifiable Data Breaches) Act 2017: How data destruction helps with compliance

,

This is Part 5 in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018. Click here to read the rest of the series.

So far in this series we’ve covered the most essential components of the Notifiable Data Breaches amendment to the Privacy Act, including who is affected, the implications, and what constitutes an eligible breach. This week, we discuss the changes we face under the NDB Act and how to prepare for the new law.

Digital security practices and the NDB Act

Digital security practice in Australia is likely to undergo significant change with the introduction of the NDB Act this year. The legislation will introduce a whole new way of thinking about data protection for Australian businesses.

Each year, cyber crimes are estimated to cost Australians $2 billion. Data breaches supply identity criminals with personal information — PayPal accounts, credit card details, bank log-in credentials, names, addresses, passports, and driver’s licences — that are in turn used in fraudulent acts.

When notification of an individual is voluntary it can be many months, or even years, before affected individuals are made aware of a breach. This leaves individuals completely in the dark when potentially malicious parties hold their information and renders them unable to take action to safeguard themselves. Right now, it takes companies an average of one year to process a notification, if they do so at all. Compare that to the average time it takes for cyber criminals to use information fraudulently — just 3 days — and it’s clear that most Australians will benefit from the mandatory notification scheme.

For businesses, there’s a strong incentive under the NDB Act to avoid data breaches; regardless of if they report the breach, the consequences can be severe. A Ponemon Institute report last year found that data breaches can incur an average of $2.51 million in costs and losses for a single business, through disruption and profit loss resulting from a decline in customer trust.

Mandatory notification will inevitably bring about a shift in public awareness of digital security issues — Australians are likely to hear about more data breaches in the coming years and become more aware of how companies handle their data. Companies will be legally obliged to respond sooner, resulting in individuals being made aware of breaches sooner, allowing them to better protect themselves. The NDB Act will eventually mean tighter digital security Australia wide.

Avtel Data Destruction.jpg

Data destruction and the NDB Act

As part of their strategy to comply with the new law, companies need to ensure data destruction is a part of their protection protocol. Businesses subject to the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principals (APPs) are obliged to put in place reasonable security safeguards to protect the information they hold from misuse, loss, unauthorised access, disclosure, or interference. They’re also required to destroy or de-identify personal information once it is no longer needed. Companies are legally obliged to employ appropriate data security for live data, and to destroy all end-of-life data.

This means that correct data destruction is not only an easy way to help avoid unnecessary data breaches, but also constitutes a legal obligation. When drives are stored under security, or no longer function normally, the data they contain can usually be retrieved. Properly destroying hard drives and other data storage devices is the only way to ensure data is completely eradicated, which will consequently help safeguard your company from data breaches and comply with the law.

The employment of secure data destruction methods is one of many changes that will need to happen within all Australian companies as the commencement of the NDB Act draws nearer.

Preparation for the NDB Act

A recent report found under half of the companies surveyed think they can respond well to a data breach involving business confidential information and intellectual property. That number indicates the confidence of individuals within the company and reflects the lack of faith Australians have in data-holding organisations. Studies indicate that in some sectors (especially telecommunications, government, and banking) close to half of Australians expect an imminent data breach.

In some ways, the legislation is going to further this mistrust in the short term by publicising more breaches. Therefore, it’s essential that businesses start preparing immediately for the change. As a business owner you must become confident in your business’s ability to handle data securely and enact a breach response plan, along with reporting the breach if one does occur. As an employee, know your responsibilities and the potential risks involved.

The Privacy Act and the APPs inform privacy protection in Australia. Being familiar with these documents and following the 10 steps recommended by AVTEL Data Destruction experts in this blog post is a good place to start for good digital security.

Next week: In our final blog post in this series, we discuss best practice for security and compliance with the NDB Act.

 

For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.

 

This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.

 

Privacy Amendment (Notifiable Data Breaches) Act 2017: When an eligible breach occurs

This is Part 4 in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018. Click here to read the whole series.

AdobeStock_41908523 copy.jpeg

So far, we’ve covered the basics of the NDB Act, what the act involves and who needs to comply, as well as what this legislative change might mean for Australian businesses. This week, we look at what happens in the case of an eligible breach, and how non-compliance will be penalised.

What happens if an eligible breach occurs?

If an organisation experiences a breach, it will be the responsibility of that organisation to ensure it is dealt with correctly and quickly. Organisations have a duty of notification to the Office of the Australian Information Commissioner (OAIC), as well as to the individuals whose information was compromised. If there are reasonable grounds to believe a breach has occurred, notification should be given as soon as practicable, within 30 days.

To notify correctly, the organisation should prepare a statement, including:

  • the identity and contact details of the organisation that experienced the breach;
  • a description of the breach;
  • a description of the type of information involved in the breach; and
  • recommendations for possible steps to be taken in response to the breach.

All parties at risk of serious harm must be notified. If it isn’t possible to separately notify only those who are at risk, the organisation should notify all the individuals whose information was involved (or potentially involved) in the breach, even if some may not be at risk of serious harm. If neither of these options is practicable, notification must be published on the organisation’s website (if it has one). The website notice must be publicised sufficiently, so that the individuals are likely to see it and to know that their data has been compromised. 

What are the penalties of non-compliance?

The NDB scheme calls for strict compliance, with non-compliance attracting heavy financial penalties and other consequences. While monetary consequences are the most obvious, there are some serious practical ramifications for businesses that choose not to report an eligible breach. In some cases, the financial cost is only one aspect of a larger problem, such as business interruption and loss of customer trust.

The ramifications of non-compliance and failure to report can include:

  • fines of up to $360,000 for individuals;
  • fines of up to $1.8 million for organisations;
  • legal aid costs;
  • costs incurred by business interruption; and
  • costs incurred by incident response and efforts to repair customer trust.

It’s important to remember that even correctly reporting a breach is likely to carry lower, though still significant, financial and practical consequences, including:

  • damage to reputation and a loss of customer trust (and the cost of repairing reputation);
  • financial costs incurred by business interruption; and
  • financial costs incurred by incident response.

These consequences are disincentives for businesses to allow a breach to occur, and especially discourage businesses from hiding a breach if it does occur. This is in line with the goals of the NDB Act, which should increase digital security and decrease the instance of data breaches in Australia.

The consequences of reporting a breach, and the penalties for non-compliance, mean that businesses will have a strong incentive to tighten all aspects of digital security. The new consequences of a data breach should spark a systematic change of attitude for many organisations. Data security poses a growing risk with increasing ramifications, and needs to be elevated to boardroom level as the NDB Act is introduced this month.

 

For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.

 

This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.

 

Privacy Amendment (Notifiable Data Breaches) Act 2017: Data, compliance and implications

This is Part 3 in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018. Click here to read Part 1: Introduction to the new legislation. Click here to read Part 2: Eligible data breaches.

AdobeStock_107692785 copy.jpeg

In previous posts, we introduced you to the basics of the NDB Act, including what makes a breach ‘eligible’ for reporting under the Act. This week we look at what kind of data the NDB Act will cover, who needs to comply, and the implications this Act will have on Australian digital security in the workplace.

What kind of data does the Act cover?

The Privacy Amendment (Notifiable Data Breaches) Act 2017 applies to all personal information collected and stored by organisations in the course of doing business. Personal information is considered sensitive, or able to cause any type of harm to an individual if it is disclosed without authority. For example, unauthorised disclosure may enable another person or people to commit fraudulent activity resulting in financial crime or identity theft, damage the reputation of an individual or their business, or involve a risk of physical harm.

Some types of information covered by the Act are listed below. Though the list is not exhaustive, it gives an indication of the nature of private or sensitive information, and is a good starting point for companies to understand the wide scope of the NDB Act. The act can cover:

  • Names;
  • Telephone numbers;
  • Postal addresses;
  • Email addresses;
  • Identification, such as drivers licence or passport information;
  • Medical records;
  • Personal opinion statements of a sensitive nature;
  • TFN numbers;
  • Online identifiers such as IP addresses; and
  • Login details for online banking and payment accounts.

Disclosure of any one of these types alone, or several types in one incident, can constitute an eligible breach. A certain number of individuals need not be at risk; the unauthorised access of a single individual’s information can constitute an eligible breach.

Who needs to comply?

The NDB Act will apply to most Australian businesses and government agencies that collect, handle, or store personal information. As an amendment to the existing Privacy Act 1988, the NDB Act will govern any organisations currently operating under that Privacy Act. This includes:

  • businesses and not-for-profit organisations with an annual turnover greater than $3 million;
  • Australian government agencies;
  • health services in the private sector including alternative medicines and fitness institutions;
  • child care centres, private schools, and other private educational institutions; and
  • businesses that sell or purchase personal information in conjunction with credit reporting bodies.

What are the key implications?

The Act will change the way organisations look at digital security, by creating a strong disincentive for businesses to allow a data breach. The new law leaves no room for a breach to occur without a penalty. If a breach occurs, organisations will be obliged to notify the OAIC and the affected individuals, essentially publicising their failure to keep data safe. Public knowledge of a breach can incur damage to reputation, along with financial costs arising from legal aid and efforts to regain customer trust.

If, however, a breach is discovered not to have been reported correctly, the financial costs rise, including legal costs, clean-up, and fines of up to $1.8 million dollars. It follows that the only solution for businesses under the NDB Act is not to allow a breach to occur.

The Act is intended to create a sense of transparency across Australian organisations, and assure Australians that businesses are taking personal digital security seriously. It should encourage organisations to inspect and improve their digital security practices prior to 22nd February 2018 and to maintain best practice for digital security into the future.

 

For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.

 

This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.