New data breach laws are in force, putting the onus on owners of businesses that collect data to protect and notify individuals whose personal information is involved in a breach.
The increasing risk of data breaches, the growing threat to personal information in an online world and the complex legal obligations surrounding this area are creating an ever bigger compliance burden on businesses, warns leading national boutique law firm Parke Lawyers.
Although breaches have occurred in the past with organisations inadvertently disposing of paper-based personal information, the risk now is much greater with so much data stored digitally and in the cloud,” says Parke Lawyers Managing Director and Business Law Specialist Jim Parke.
Our business lawyers are hearing about data breaches on a regular basis and no matter how good your software security systems are, breaches are a reality created either through human error, mischief, or simply because those looking for ways to disrupt are often one step ahead.
Mr Parke says the Notifiable Data Breaches (NDB) scheme affecting organisations covered by the Privacy Act 1988 came into effect on 22 February 2018.
This applies to organisations with an annual turnover exceeding $3 million or which are otherwise covered by the Privacy Act. It also applies to businesses related to another business covered by the Privacy Act.
Organisations are required to take all reasonable steps to prevent a breach occurring, put in place systems and procedures to identify and assess a breach and to issue a notification if a breach is likely to cause ‘serious harm’ and the entity is unable to prevent the risk of serious harm through remedial action.
The Privacy Act already requires organisations to take steps to protect personal information and its recent amendment adds a positive obligation to assess breaches and respond to breaches.
As well as complying with these new laws, there are many complex issues to consider with data privacy, including how personal information is gathered, managed, stored, accessed and ultimately destroyed.
Now business owners also have to consider what to do if a breach occurs, how they handle the threat to the personal information of clients and whether the risk of ‘serious harm’ as defined in the Privacy Act applies.
With so many pieces to the data protection puzzle, it is vital that business owners and managers have access to expert legal advice,” Mr Parke says.
When you also consider the implications of operating outside Australia and online, as many businesses do, this becomes even more important. Data breaches are common and many countries have laws intended to protect citizens’ personal information. If your business operates overseas or has customers overseas, you also need to be aware of the requirements in those countries.