If you have undertaken the Compliance Questionnaire, you may be wondering what further steps you can undertake to ensure your compliance and improve your cyber resilience.
The following organisations and their resources are great as first steps to understand various Australian privacy regulations and your obligation as a business:
- Office of the Australian Information Commissioner (‘OAIC’) – An independent regulator for privacy and freedom of information. Below are some crucial resources in complying with the Privacy Act and the Notifiable Data Breaches Scheme.
- Australian Cyber Security Centre (‘ACSC’) – An authority under the Australian Government’s Signals Directorate to assist government, organisations, businesses and individuals by providing cyber security advice and information on how to improve security online.
- Information and Privacy Commission NSW (‘IPC’) – An independent statutory body that deals with privacy in New South Wales, informing citizens’ rights and public sectors’ obligations when dealing with government held information.
- Other Australian Legislations – In addition to the above resources and regulations, your business will need to be aware of the following state and federal laws which cover individuals’ rights to privacy.
- Workplace Surveillance Act 2005 (NSW)
- Surveillance Devices Act 2007 (NSW)
- Adoption Act 2000 (NSW)
- Assisted Reproductive Technology Act 2007 (NSW)
- Crimes (Forensic Procedures) Act 2000 (NSW)
- Criminal Records Act 1991 (NSW)
- Telecommunications Act 1997
- Telecommunications (Interception and Access) Act 1979 (Cth)
- National Health Act 1953
- Data-Matching Program (Assistance and Tax) Act 1990
- Crimes Act 1914
- Anti-Money Laundering and Counter-Terrorism Financing Act 2006
- Healthcare Identifiers Act 2010
- Personally Controlled Electronic Health Records Act 2012
- Personal Property Securities Act 2009
Australian Privacy Principles (“13APPs”)
The Australian Privacy Principles are embedded within the privacy protection framework in the Privacy Act 1988 which govern your business’ obligations in handling personal information:
- collection, use, and disclosure of personal information
- your business or organisation’s accountability and governance surrounding data safeguarding
- integrity and correction of personal information
- rights of individuals to access their personal information
Failure to adhere to the above Principles will amount to an “interference with the privacy of an individual“, leading to regulatory action and penalties. Fines could range from $2.1 million to $10 million, or three times the value of any benefit obtained from such misuse of information, and/or 10% of a company’s annual domestic turnover.
The Privacy Commissioner can provide compensation reward for individuals ranging from $1,000 to $20,000 for non-economic loss for each privacy breach. Additionally, they can also apply for an order to the court requiring a non-complying entity to be fined. The fine can range from $525,000 to $2.1 million for a body corporate and $105,000 to $420,000 for any other entity.
Notifiable Data Breach (“NDB”) Scheme
Under this scheme, your organisation or business will be required to notify affected individuals should a breach occur. In particular, if this breach will most likely result in serious harm to individuals whose personal information is involved.
‘Data breach‘ has occured and will be required for reporting under the following three circumstances:
- When there has been an unauthorised access to or unauthorised disclosure of personal information, or a loss of information resulting to an individual becoming ‘reasonable identifiable’ as a result
- When the breach results in serious harm to one or more individuals (while “serious harm” is not defined in the Privacy Act, this may include serious physical, psychological, emotional, financial or reputational harm)
- When your business have not been able to prevent the likely risk of serious harm with remedial action
Your business must carry out the following steps if a suspected breach has occured:
- Notify individuals at risk of serious harm and the Privacy Commissioner about the eligible data breach
- Provide an eligible Data Breach Statement
Failure to report a data breach will amount to penalties for breaching the Privacy Act itself, resulting in regulatory actions and fines.