Yesterday marked the introduction of sweeping changes to the way companies need to report any suspected data breaches to the government. So what does this mean for small-business owners?
The Notifiable Data Breach (NDB) Scheme became law on 22 February. Under the law, all companies with an annual turnover of more than $3 million will be required to report any breaches of systems where the personal information of clients is involved to the Office of the Australian Information Commissioner (OAIC). If your annual turnover is less than $3 million, the introduction of the laws does not affect you however, we would strongly suggest you take advantage of this opportunity to review your cyber security systems.
Companies that are required to report data breaches to the government include:
- Australian government agencies
- business and NFPs with turnover of more than $3 million annually
- all private sector health service providers
- businesses which trade personal information
- businesses which gather TFNs (if turnover exceeds $3 million)
- businesses which hold personal information.
Companies which are covered by State-based legislation (i.e. State or Territory entities or authorities) are exempt from the legislation.
Any business or organisation found to have not complied with the legislation by reporting a data breach to the OAIC could face financial penalties of $1.8 million with penalties for individuals set as high as $360,000.
The NDB Scheme has been developed to ensure businesses are maintaining tight security around the personal information of their clients, customers, suppliers, staff and anyone else who may be on their database.
This should afford Australians a level of confidence that their data is protected and is a commendable first step in the development of co-ordinated policy across all Australian governments.
However, there are a couple of causes for concern. The disconnect between state and federal legislation is expected to cause unnecessary confusion and anxiety for some business owners; there is no clear understanding on what actually constitutes ‘personal information’ and the penalties for non-compliance have not yet been tested.
There are three simple steps businesses need to take to be ready for the implementation of the legislation:
- Understand where, why and how your company collects personal information.
- Know where and how your company stores and manages personal information.
- Have a clear plan on how to respond to privacy breaches.
Your response should start with containing the breach before evaluating the risks of the breach. If it is determined personal information has been accessed or disclosed (and you fit the criteria for being compliant), you must notify the individuals whose information has been accessed and report it to the OAIC.
Dr Vanessa Douglas-Savage, Consulting Director and CIO, GWI
