For quite some time, businesses have been able to self manage their IT problems and most importantly their security breaches, when I say breaches I mean possible hackers who could be trying to get your personal information. On February 22nd those security breaches will no longer be “self managed”, as the Australian Government has finally made it so businesses are legally obliged to report such incidents, there has been many failed attempts to bring this scheme to light, many different Governments have tried but it seems that many people feel this is long overdue, considering it got support from all sides of parliament, I’d dare say that’s true. Maybe last years Australian Red Cross Blood Bank Service breach which the details of many donors were exposed online could’ve had something to do with it.
Who will this affect? The new bill applies to any organisations that have to follow the Privacy Act, this also includes not-for-profit organisations, Australian Government agencies and other businesses whose turnover is of more than 3 million. Though there are some businesses that don’t turnover more than 3 million annually who will still be affected by this, these include; Private sector health service providers, which includes gyms, weight loss clinics and alternative medical practices fall under this category. Childcare centres, private schools and private tertiary educational institutions will also be affected by this bill and lastly businesses that sell or purchase personal information along with credit reporting bodies.
The bill stipulates disclosure is required following an “eligible data breach”, which is defined by the belief an individual is at “risk of serious harm” due to the disclosure of their personal information. Some people have argued that the ability for an organisation to internally evaluate what constitutes risk of serious harm is providing an opportunity for businesses/organisations to find a loophole in the new bill by leaving it up to interpretation.
With the bill being in place there are obviously requirements businesses need to follow, which obviously means there will be penalties if they don’t, what would those requirements and penalties be? When an organisation has identified a breach they are required to notify the Privacy Commissioner and affected customers within 30 days. It’s also detailed in the bill that if a business fails to comply with the new notification scheme it will be deemed to be “an interference with the privacy of an individual” and there will be some big consequences;
“A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the [Privacy] Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.”
Businesses and organisations should be embracing this bill, it will allow them to find out where they should be spending their money on security and why. With businesses needing to contact the affected customers, it will help build trust and honesty. Australians now know that they do have a right to privacy and now if any of your personal information is leaked, you’ll know the parties responsible won’t be getting a slap on the wrist.
https://www.alrc.gov.au/publications/51.%20Data%20Breach%20Notification/alrc%E2%80%99s-view – “risk of serious harm”
http://www.abc.net.au/news/2016-10-28/red-cross-blood-service-admits-to-data-breach/7974036 – Australian Red Cross Blood Bank Service breach