Tips
Bec Newman
GDPR and your data's end-of-life
GDPR and your data's end-of-life
Opinion
Bec Newman
GDPR: The lay of the land
GDPR: The lay of the land
Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: Tips for best practices
Opinion, Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: How data destruction helps with compliance
Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: Eligible data breaches

Tips

Privacy Amendment (Notifiable Data Breaches) Act 2017: Eligible data breaches

This is Part 2 in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018. Click here to read Part 1: Introduction to the new legislation.

AdobeStock_75838140.jpeg

In last week’s post, we introduced you to the basics of the NDB act and what it will mean for digital security in Australia. The new legislation, effective 22nd February 2018, calls for mandatory reporting of eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and the individual(s) affected by the breach. This week we discuss what makes an eligible breach ‘eligible’.

What is an eligible data breach?

If you’re familiar with the NDB scheme from our last post, you’ll be acquainted with the phrase ‘eligible data breach’. Under the new legislation, organisations are required to report a data breach if it is considered ‘eligible’. Eligibility depends on the nature of the compromised information and the potential risk that unauthorised disclosure may cause to the individual(s) whose information has been compromised.

An eligible breach occurs when there is unauthorised disclosure of personal information to external entities and the disclosure of information is likely to result in a real risk of serious harm for any of the individuals to whom the information relates.

Events that can constitute an eligible breach could include:

  • lost or stolen information in its hard form (such as in computer hard drives or paper records);
  • improperly destroyed data that is disposed of insecurely;
  • hacked databases;
  • employees accessing information that falls outside their authorisation; or
  • organisations sending data unintentionally to the wrong recipient.

In order for a potential breach to be eligible, it is not necessary for the occurrence of the breach to be proven. If there are reasonable grounds to suspect a breach has occurred, or data has been lost and can’t be retrieved, the breach is considered eligible for notification due to the potential risk of serious harm.

What is ‘serious harm’?

Serious harm is defined by the explanatory memorandum that accompanies the NDB act. It comes in many forms, and can include:

  • financial or economic harm;
  • physical harm;
  • psychological or emotional harm; and/or
  • damage to reputation.

If information has been compromised and could potentially cause any type of harm — to a single individual or to many individuals — it should be reported.

There are many situations in which serious harm can result from the disclosure of personal information, and the potential harm varies according to the information and to the individuals in question. For example, serious harm can result from the disclosure of:

  • financial information, resulting in financial fraud;
  • identity information, resulting in identity theft or fraud;
  • addresses or contact information of certain individuals, resulting in potential physical or emotional harassment and harm;
  • statements made under a confidentiality agreement, resulting in potential reputation damage; or
  • sensitive medical information, resulting in potential reputation damage.

These are only some examples of the situations in which individuals can experience serious harm as the result of a data breach. Under the new legislation, it would be prudent for organisations to ensure they report any breach presenting even a remote risk of serious harm, in order to avoid the harsh penalties that may apply for non-compliance.

When is there a real risk of serious harm?

Assessing if there is a risk of serious harm relies on factors like:

  • the nature and sensitivity of the information that has been/ may have been disclosed;
  • the security measures or encryption still protecting the compromised information;
  • the type of person or people who obtained the information; and
  • the nature of the potential harm that may result from unauthorised disclosure.

If a reasonable person, an objective bystander, would see a probable risk of harm for the individual(s) whose information has been compromised, it is considered that there is real risk of serious harm.

If an organisation has experienced a data breach in which data is lost, stolen, improperly disposed of, or accessed without authority, and the information could carry a real risk of serious harm to an individual or individuals, it is considered an eligible breach and must be reported to the OAIC within 30 days.

 

For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.

 

This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.

 

Privacy Amendment (Notifiable Data Breaches) Act 2017: Introduction to the new legislation

This is Part 1 in our new 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018.

AdobeStock_60505744.jpeg

Australians will see changes in digital security practices in 2018 in the face of new privacy protection laws. The Privacy Amendment (Notifiable Data Breaches) Act 2017 ("NDB") is an important new addition to legislation that will change the nature of digital security for Australian businesses, and ultimately for all Australians. The NDB Act is an amendment to the Privacy Act 1988, and introduces mandatory reporting in the case of an eligible data breach.

Under the new law, if a known or suspected data breach involves a real risk of serious harm to one or more individuals, the breach must be reported to the Office of the Australian Information Commissioner (OAIC) and to the affected individual(s).

How will the NDB increase privacy protection?

The NDB scheme is designed to encourage organisations to increase digital security by creating strong disincentives for data holding entities to allow a security breach.

The NDB is therefore a principles-based approach to increasing privacy protection. It functions as a self-regulating system by increasing the potential consequences of weak digital security. Businesses don’t want to publicise data breaches; doing so involves an expensive cleanup and inevitable loss of confidence from customers. However, unreported breaches could now incur penalties up to $1.8 million in fines, as well as negative publicity and legal aid costs.

With organisations soon obliged to report a breach, they will increase digital security in order to avoid one. Under the new law, data holding entities will be inclined to take data security more seriously than ever before.

Who is affected by the NDB?

The NDB Act, as an amendment to the Privacy Act 1988, is applicable to all entities operating under the Privacy Act, including:

  • entities deemed to hold information disclosed to overseas recipients;
  • credit reporting bodies and credit providers;
  • organisations that hold tax file information;
  • government organisations, health providers, and educational institutions; and
  • businesses or not-for-profits with an annual turnover greater than $3 million.

The NDB directly affects organisations, but all Australians stand to benefit from the scheme. Because of the heavy penalties and reputation risk involved, and the wide scope of the NDB in business, Australians can assume that this new digital security legislation will reduce the incidence of data breaches. Additionally, it will promote transparency in privacy protection; it will offer affected individuals the opportunity to mitigate the negative effects of compromised personal data.

What are the key changes to current legislation?

The current Privacy Act leaves data breach notification at the discretion of data holding organisations. A business can decide whether or not it wishes to report data breaches to the OAIC, or to individuals whose personal information has been exposed by a data breach. Often, individuals are not warned when their data is accessed by potentially malicious parties, meaning they may be unable to take preventative action.

When the NDB scheme commences next month, this will change. If an eligible data breach occurs, organisations will be legally obliged to report to the OAIC and to individuals at real risk of serious harm. Not to do so will incur heavy financial penalties and a likely loss of trust from the Australian public and partner organisations.

Under current legislation, there is no time limit within which a breach must be handled. Under the NDB, if an organisation experiences a confirmed breach, or has reasonable grounds to suspect a breach has occurred, it must conduct an expeditious assessment within 30 days.

When does the NDB come into effect?

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the House of Representatives in February 2017. The key amendments will commence on 22nd February 2018. Any organisation that experiences an eligible data breach from this date will be required to follow the reporting procedures of the NDB.

Regulatory bodies and data security experts suggest businesses take immediate steps to safeguard their digital security in preparation for the change. For some tips on how to strengthen your organisation’s digital security, see our post 10 Tips to Secure Your Company’s Data Against Cyber Threats

 

For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.

 

This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.

 
,

Data Protection Day: A timely reminder that data protection laws are changing

,
AdobeStock_94353427.jpeg

Data Protection Day falls on January 28th, acting as an annual international reminder of the importance of digital security. Since 2006, Data Protection Day (or Data Privacy Day) has reminded organisations to start each year with strong digital defences. The coming year will see significant changes to data protection legislation worldwide; new data protection laws are being introduced that will change the way organisations and individuals view and manage privacy protection.

The incidence of cyber crimes and identity theft has increased rapidly in recent years, inciting these large-scale legislative changes and making the message of Data Protection Day more potent in 2018 than ever before.

The changes will raise global awareness of data security in 2018. Changes to European Union law will govern any organisation worldwide that handles EU data subjects, demanding the attention of every international business. This year will see companies worldwide inspecting their data privacy policies, prevention practices, and breach response procedures in order to prepare for the changes.

What will change in 2018?

The two jurisdictions undergoing the most change this year are likely to be Australia and the EU, introducing the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB) and the General Data Protection Regulation (GDPR), respectively. Canada is also working towards enacting data breach notification regulations this year, the Breach of Security Safeguard Regulations, similar to the NDB act in Australia.

The NDB act and the GDPR share a common goal: to increase privacy protection, to minimise the frequency of data breaches, and to create transparency in data handling and processing procedures. While the objectives of the two laws are similar, they are designed to achieve success in different ways.

The new Australian privacy law takes a principles-based approach, encouraging organisations to increase data protection in order to avoid an eligible data breach, and therefore to avoid fines and negative publicity. The new EU privacy law takes a practice-based approach, making increased data protection a legal obligation, rather than a suggested precaution against a data breach and its consequences. The GDPR also offers far greater financial penalties for non-compliance.

As well as clearly outlined steps to be taken by data processors, the GDPR involves several regulations not included in Australian law, including:

  • the mandatory appointment of protection officers where data is processed regularly;
  • a minimum standard of information technology systems and privacy protection programming;
  • the right to data portability (the right of a data subject to request access to, and share, their data) and;
  • the right to erasure (the mandatory destruction of data, once it is no longer relevant, or upon request).

Because of the comprehensive nature of the GDPR, it is set to become the gold standard of privacy protection legislation, and will have a pervasive impact on privacy protection worldwide.

A summary of the GDPR and the NDB Privacy Amendment

 
Avtel Data Destruction_GDPR and the NDB Privacy Amendment.jpg
 

How can your business prepare for the changes?

Staying informed about which legislative changes might affect your business is the first step to success as these new laws come into play. Access our best-practice guide to securing your business against cyber threats, for further steps you can take in-house. Contact Avtel Data Destruction for information on our unique and secure data destruction method that complies with new legislation.

 

This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this document does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.

 

10 Tips to Secure Your Company’s Data Against Cyber Threats

Incidences of cyber crime and identity theft are set to rise once more in 2018, following the trend that has been well established since the beginning of digital data storage. With the new year and new legislation just around the corner, many businesses are looking to the future and reassessing their digital security practices.

Tens of millions of cases of identity theft occur annually, with stolen funds now exceeding $15 billion each year. Studies suggest that in the last six years, cases of identity theft have increased as much as 200%.

Every organisation handling the data of clients, customers, or employees is at risk of a security breach. Statistically, the greatest threat is experienced by sectors such as education and health, which store large amounts of personal data, as well as financial institutions, an obvious target for cyber criminals looking for monetary gain.

With the risk of cyber crime increasing annually, attention needs to be given to data protection, both in legislation and in the digital security practices of individual organisations. Next year will see legislation tightening in both Australia and the EU, with new laws imposing heavy penalties on organisations that experience digital security breaches.

Beyond the fines imposed by governing authorities in the case of a data breach, companies also experience financial losses in the recovery process, as well as a significant loss of trust in their client base. 

The sensitive information in question can include names and addresses, medical records, bank account details, and photographic images or video footage, as well as information on a customer’s workplace. It can also include the expression of certain personal opinions.

With legislation tightening and public awareness of data security issues rising, data security is likely to become a key deciding factor in consumer choices. Companies are taking stronger measures to ensure their clients remain protected from cyber crime and data theft. Below, we suggest several steps that can be taken to significantly minimise the risk of data security breaches in workplaces across Australia.

ADD's tips to secure your company’s data against cyber threats in the workplace

The Australian Privacy Protection Act and the Australian Privacy Principals (APPs) are legally binding principles that inform privacy protection in Australia. Familiarise yourself with these documents and follow the ten steps below to help ensure the protection of sensitive data.

 

1.

Consider whether it is necessary to hold sensitive information in the first place, and what minimum amount of information it is necessary for you to collect. Over-collection of data or storage of unnecessary information increases security risks by increasing the amount of data for which your organisation is responsible.

 
 

2.

Conduct a Privacy Impact Assessment (PIA) or an assessment of information security risk, if applicable. A PIA is a written assessment identifying the privacy impacts of a proposal and making recommendations for management of those impacts. It describes the flows of personal information within the scope of the proposal, analyses the possible impacts, and explains how the organisation intends to decrease or eliminate the identified risks. The OAIC website can assist you in determining if you require a PIA or an information security risk assessment.

 
 

3.

Educate your staff on good cyber-security workplace habits. Raise awareness within staff groups of methods used by cyber criminals and ensure that all the employees within your organisation understand the importance of digital security.

 
 

4.

Ensure that your information handling practices are embedded with the appropriate privacy protections. By always handling a data securely, within a planned and deliberate information handling framework, you will minimise your risk of information leaking due to unsafe handling practices or human error.

 
 

5.

Account for the possibility of human error. Ensure your staff complies with strict policies within your information handling framework regarding access to, and distribution of, sensitive data such as customers’ personal details. Account for the possibility that human error can occur by having systems in place to deal with breaches, if and when they occur due to human error.

 
 

6.

Equip all hard drives with digital security safeguards and software. Keep all programs updated and patched to ensure that your software is up to date and ready to handle the constantly shifting landscape of digital threats.

 
 

7.

Ensure there are appropriate alarms in place so that, if a breach occurs, you are made aware immediately and can deal with the issue in the most efficient way possible.

 
 

8.

Only hold data for the time that it is necessary to do so. Once sensitive data is no longer necessary, destroying it immediately and completely ensures that it will not become a security issue in the future.

 
 

9.

Ensure all paper copies of sensitive information are disposed of appropriately and safely. Work with a data destruction company and ensure your staff understands the sensitive nature of paper copy information and the necessity for its proper destruction.

 
 

10.

Work with a reputable data destruction company to dispose of digital copies of personal information safely and permanently. Complete data destruction is an essential way to mitigate risk once information is no longer required. Using a data destruction company that can guarantee complete destruction of all digital and physical data ensures your customers’ sensitive information remains secure. Choose a company that can assure 100% auditability of eradicated data. Where possible, have data destroyed on-site to avoid the possible risks associated with transporting sensitive information.

 

As the current market leader in Australian data destruction, AVTEL Data Destruction uses a unique and portable milling process that guarantees complete security of eradicated data.