Along with welcoming a new year, we also welcome two major changes to privacy legislation, both here an overseas that can potentially have dramatic impact on Australian businesses.

Notifiable Data Breaches

In February, the Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into full force. One of the key points of this amendment is that all entities covered by the Australian Privacy Principles (APPs) (ie have a turnover of more than $3m) must notify the Office of the Australian Information Commissioner and any potentially affected individuals of an "eligible data breach".

  • data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, leaving the information on the bus); 
  • an eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure; 
  • serious harm, while undefined, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation; and 
  • serious harm will be likely if such harm is "more probable than not" having regard to a list of relevant matters to be included in Part IIIC. The matters include the sensitivity of the information, any security measures taken (such as encryption) and how easily those security measures could be overcome (for example, if the encryption key has also been accessed).
    Source

Entities that simply suspect that an eligible data breach has occurred simply need to complete a "reasonable and expeditious" assessment into the relevant circumstances within 30 days. If this suspicion is confirmed, then a notification to the OAIC must be made using a prescribed format, and a statement to affected individuals must be made using any normal communications method. There are exceptions to this notification requirement, including if the entity has taken remedial action before any serious harm caused by the data breach has occurred.

Causeis takes client data security very seriously. We have strict policies in relation to how staff handle offline versions of client data. We advise all clients to ensure they are ready for the changes by confirming that all policies and procedures relating to data handling have been updated and staff are aware of their responsibilities so that private information does not get left on the bus! Do you know where your backups are?

EU General Data Protection Regulation (GDPR)

Another major change is the introduction of the GDPR in May. This has ramifications for any clients that hold any personal information about any EU citizen. Even though your company is not located in the European Union, GDPR also applies to the processors and controllers outside the EU where it:

  • offers goods or services to individuals inside the EU, even if no payment is required or 
  • monitors the behaviour of individuals within the EU – especially if you perform analysis or profiling of that activity for predictive purposes.
    Source

The GDPR and the Australian Privacy Act share many similar goals – like privacy by design and transparency, however there are key differences that your organisation should be aware of if you meet either criteria above, such as a requirement to appoint a data protection office and an individuals right to be forgotten and to data portability. There are also strict requirements regarding the transfer of personal data outside the EU. If your organisation meets or suspects that you meet either of these requirements, it is vital that you seek advice on implementing the GDPR. For more information about the GDPR please refer to https://www.eugdpr.org/gdpr-faqs.html

For more information refer to the Office of the Australian Information Commissioner via https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme 

About Causeis: With over 50+ years combined experience, Causeis provides an award-winning iMIS consultancy service to Australia’s leading non-profits. We specialise in business strategy alignment, engagement modelling, critical system management, website development and data analytics.

Latest blogs

Security is more than just HTTPS

Posted on 29/04/2019
Following several high-profile online security breaches involving major corporations and government entities, the digital world is increasingly focused on security and PCI compliance.

Business Process Review – Process Automation Opportunities

Posted on 14/03/2019
What is iMIS process automation? Process automation is a (often underutilised!) feature of iMIS that enables you to improve member engagement and staff productivity by automating repetitive tasks and processes.

Collier Foundation Launches New iMIS Powered Grant Application System

Posted on 15/02/2019
The Collier Charitable Fund is a perpetual charitable trust that was established in 1954 by Alice, Annette and Edith Collier, three Melbourne sisters, as a way to continue, in perpetuity, their lifelong practice of generous support.