New privacy laws

Keeping customer and staff information secure is even more important after new laws came into effect on 22 February 2018.


David Humphrey

New data notification laws commenced in February. Under the notifiable data breaches (NDB) scheme businesses need to formally investigate suspected data breaches of personal information. Data breaches that are likely to result in serious harm must be reported to the Office of the Australian Information Commissioner and to those individuals impacted.

The Privacy Act – a duty to protect and secure information

If you have a turnover greater than $3 million, the Privacy Act 1988 and Australian Privacy Principles (APP) regulate the way your business handles personal information.

These laws broadly require businesses to secure any personal information they hold and take reasonable steps to protect this information from misuse, interference, loss and unauthorised access, modification or disclosure.

Some common examples of personal information include an individual’s name, address, phone number, date of birth, email address, photograph or video recording of a person, bank account details, tax file number, signature, and commentary or opinion about an individual.

Many HIA members will obtain and secure personal information from their clients, potential customers, employees and contractors.

The new data notification laws

The notifiable data breaches scheme adds to the existing privacy obligations.

Under the new laws, as soon as practicable after you become ‘aware that there are reasonable grounds to believe’ there has been an eligible data breach you must notify these parties:

• the Information Commissioner
• affected individuals (or publish a statement).

There are some exceptions, including taking sufficient remedial action that the data breach is not likely to result in serious harm.

The new data notification laws will apply to businesses with a turnover greater than $3 million. The laws apply to small businesses only in relation to a data breach involving tax file numbers.

There may be penalties for non-compliance, including compensation for damages and monetary fines.

What is a notifiable data breach?

An eligible data breach will happen if:

• there is unauthorised access, unauthorised disclosure, or loss of personal information held by an entity, and
• the access, disclosure or loss is likely to result in ‘serious harm’ to the individual to whom the information relates.

Online hacks, email ‘phishing’ and data ransomware present common data breach risks. However other examples include:

• lost or stolen electronic devices containing personal information (such as a laptop, USB or mobile phone)
• paper records stolen from insecure recycling or garbage bins
• accidentally providing personal information to the wrong person
• unauthorised access to payroll information or personal information of employees.

Online security

Keeping personal information secure

To make your systems less attractive to cyber criminals consider these tips:

• install a firewall and virus-checking on your computers, and download the latest patches or security updates
• install anti-spyware tools
• choose secure passwords
• only allow your staff to access the information they need to do their job
• don’t let staff share passwords
• encrypt any personal information held electronically that would cause damage or distress if lost or stolen
• collect and store personal information only if it is absolutely necessary
• develop management policies and procedures for personal information
• destroy personal information when it is no longer needed.

Depending on your risk you may also want to prepare a data breach response plan and obtain cyber insurance coverage.

Related Articles

Aussie dream, a pipe dream?

Some things in life are certain. Most people tend to cite death and taxes, but new housing data now shows Australians can be sure of something else: home ownership is becoming less of a certainty for each generation, one after the next.

Housing our population

HIA’s report Housing Australia’s Future finds that a high level of housing supply is required to meet demand and arrest Australia’s housing affordability crisis.

Rising from the ashes

Deliberately liquidating a company to avoid tax is illegal, but governments can struggle to determine intentional corporate phoenixing from genuine liquidations.

Beware the baby boomlet

It pays to watch population trends so you can stay abreast of housing demands.

Join more than 120,000 like-minded subscribers