ARTICLE
5 September 2017

HACKED! Data breach notification becomes mandatory

SF
Spruson & Ferguson

Contributor

Spruson & Ferguson logo
Established in 1887, Spruson & Ferguson is a leading intellectual property (IP) service provider in the Asia-Pacific region, with offices in Australia, China, Indonesia, Malaysia, Philippines, Singapore, and Thailand. They offer high-quality services to clients and are part of the IPH Limited group, which includes various professional service firms operating under different brands in multiple jurisdictions. Spruson & Ferguson is an incorporated entity owned by IPH Limited, with a strong presence in the industry.
Explore
New amendments will require organisations to take prompt action on suspected data breaches or face substantial fines.
Australia Privacy
Photo of Chris Bevitt
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Currently, if personal information held by your organisation is accessed by or disclosed to an unauthorised party, it is merely voluntary for you to advise affected individuals. That will soon change if you are covered by the Privacy Act 1988. The Act generally applies to entities with an annual turnover of $3 million or more.

Amendments to the Act come into effect in Australia on 22 February 2018. Those amendments will require organisations to take prompt action on suspected data breaches or face substantial fines.

What is a data breach under the Act?

For the purposes of the Act, a data breach occurs when:

  • there has been unauthorised access, or unauthorised disclosure of personal information; or
  • personal information is lost in circumstances that are likely to result in unauthorised access or disclosure; and
  • there is a likely risk of 'serious harm' to any individual affected by the breach. 'Serious harm' may include physical, psychological, emotional, economic and financial harm.

How must an organisation deal with a data breach?

Within 30 days after becoming aware of a potential data breach, the entity must conduct an assessment into the relevant circumstances. If a data breach meeting the above criteria is identified, the entity must notify both the Privacy Commissioner and the individuals affected as soon as practicable.

Substantial fines of up to $360,000 for individuals and $1.8 million for organisations may be issued for serious or repeated failure to comply.

What should organisations do now? Review, Protect and Prepare

In preparing for the new regime, you should:

  • Review your Privacy Policy

Take this opportunity to review your current Privacy Policy and include a brief new section outlining your commitment to comply with the mandatory data breach notification regime when it comes into effect.

  • Protect data you hold

Prevention is better than cure. Conduct an internal review of policies and procedures concerning data security and disclosure.

  • Prepare policies and procedures to deal with a breach

Update or create new policies and procedures to be followed if a data breach occurs to ensure your prompt compliance with the new regime.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Chris Bevitt
Chris Bevitt
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More