You may have heard about the new laws in place for reporting data breaches. The laws are quite complex so here is my break down for what small businesses need to know
1. Do they apply?
The laws are part of the Privacy Act. Generally the Privacy Act only applies where a business has a turnover of more than $3million. However, there are certain industries where small businesses must comply. These include health providers, financial service providers and people in the money lending / broking industries.
2. What do they cover?
The laws relate to a data breach that affects personal information. Personal information includes all information that is identifiable to a person, such as names, addresses, phone numbers, bank account details and medicare numbers. It also extends to notes you keep about a person in your own business records or client files. Finally, employees are people too so don’t think it is limited solely to client information.
3. What is a data breach?
Don’t be confused to thinking this means some type of computer hacking scenario. Data is used loosely and really means ‘information’. So a data breach is when any incident arises where personal information is lost, modified, disclosed, or interfered with in a way that is not authorised by you.
4. Does every breach have to be reported?
No. this is where the laws become complex. Every breach must be considered for its potential impact on the person whose information has been compromised. The level of response will vary depending upon the nature of the breach and the potential harm that can be caused.
There are different requirements for different aspects of a breach such as; when you become aware that a breach has happened versus thinking one might have happened. The response required also depends upon the nature of the information compromised, for example tax file numbers or bank account details being disclosed poses a higher risk than email addresses being disclosed.
5. Who does a breach get reported to?
Again this depends upon the extent of the breach. There are three alternative avenues which the law prescribes must be followed in certain circumstances. Reporting may be made to the Office of the Australian Information Commissioner, the individuals affected and/or everyone by way of a statement on your website.
6. So what do I need to do?
You’ve taken the first step, which is to be aware. If you are in an industry that must comply with the Privacy Act, you should consider having a procedure in place that sets out for your business, how you will deal with a privacy breach and what steps you will take to comply with the law. You should seek legal advice to ensure that you understand what the obligations are and how to make sure you comply.