The Mandatory Data Breach notification scheme in Australia has come into effect today. The new scheme will strengthen the protections afforded to everyone’s personal information and will improve transparency in the way that the public and private sectors respond to serious data breaches.

This legislation is a new way of putting data first and companies will be able to prioritise their existing information security programs of work around what is considered to be Personal Identifiable Information (PII).

Who do the changes apply to?

The changes apply to Commonwealth Government agencies and private sector organisations who are currently subject to the Australian Privacy Principles under the Privacy Act.

This includes private sector organisations, including not-for-profits, with annual (group) turnover of more than $3 million. It also includes small businesses that may be earning $3 million or less where they are health service providers involved in trading in personal information, contractors that provide services under a Commonwealth contract or credit reporting bodies, amongst others.

Entities already exempt from the operation of the Australian Privacy Principles remain exempt from the changes.        

For example, the changes apply to private schools or companies with a turnover of more than $3 million per year, but not to local councils or state government agencies.

What are the fines that an entity might face if it is subject to an eligible data breach?

Where an entity experiences an eligible data breach, the occurrence of that data breach in and of itself is unlikely to result in the entity facing penalties. Rather, a failure to report an eligible data breach will be considered an interference with the privacy of an individual affected by the eligible data breach. Under the Privacy Act, this means that a failure to notify affected individuals of an eligible data breach could be the subject of a complaint to the Privacy Commissioner.

Serious or repeated interferences with the privacy of an individual can give rise to civil penalties of up to $2.1 million. (We note that company directors or management will not be personally liable for such serious or repeated interferences.) The biggest impact is expected to be on reputation and the ability of the company to acquire new customers and keep the current customer base due to lack of trust in its ability to protect the information assets of its customers.

Are there any new rules relating to the security of personal data introduced by the changes?

There are no new requirements regarding the security of personal data. However, the changes primarily supplement Australian Privacy Principle 11 which requires entities who hold personal information to take reasonable steps to protect personal data from misuse, interference and loss, and from unauthorised access, modification or disclosure.

How can Ground Labs help?

Ground Labs have developed and commercialised a software that searches for all sensitive information within the network identifying all personal information data types and allowing the organisation to gain complete control over their information assets. The solution will not only identify but also allow the company to remediate any inappropriately stored sensitive information and allow the management team to make a data-driven decision in how to manage the information assets of the organisation.

Enterprise Recon is a worldwide recognised technology that assists with implementation and maintenance of major cybersecurity standards and regulations in Australia and across the globe such as PCI DSS, Australian Privacy Principles, HIPAA, Cyber Security Framework by NIST, IRAP, VPDSS and GDPR.

Want to keep up with all our blog posts? Subscribe to our newsletter!