A loss or an unauthorised disclosure of sensitive data, e.g. as a result of a cyber-attack or flaw in data security procedures can affect any business, undermine its success and jeopardise investors’ and customers’ trust and confidence. The consequences can be very dear.
You need to act now to ensure that your business is ready to comply with the current requirements and prepared for the new regulations coming into effect.
What follows is an outline of the privacy and data protection framework you should consider.
Australian Privacy and Data Protection Laws
Currently, there is a wide range of privacy and data protection requirements introduced by the Commonwealth of Australia and the Australian States and Territories. You may also have to comply with additional or more specific requirements specified in a contract.
A non-exhaustive list includes the following:
- Australian Privacy Principles (APPs) which are found in Schedule 1 to the Privacy Act 1988 (Cth). In particular, APP 11 requires organisations to take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification and disclosure, and to permanently destroy or de-identify the information when it is no longer required for any purpose permitted by the APPs;
- Privacy Act 1988 (Cth), Part lIlA including additional obligations of credit providers and credit reporting bodies under and the registered Credit Reporting Code in relation to the security of credit and credit eligibility information when they access a copy of the individual’s credit report in order to determine whether or not to enable credit;
- Privacy (Tax File Number) Rule 2015 issued by the Privacy Commissioner under section 17 of the Privacy Act 1988 (Cth) to regulate the collection, storage, use, disclosure, security and disposal of individuals’ Tax File Numbers (TFNs) information;
- Payment Card Industry Data Security Standards developed by the Payment Credit Card Industry Securities Council, which set out obligations of organisations that collect and handle payment card information to maintain the security of card information and respond when data breaches involve payment cards or cardholder data;
- My Health Records Act 2012 (Cth) including mandatory data breach notification requirements imposed on healthcare provider organisations, registered contracted service providers and registered repository and portal operators;
- Additional requirements imposed on public and private sector organisations under particular State and Territory health records laws;
- Telecommunications (Interception and Access Act) 1979 (Cth) including requirements imposed on telecommunications carriers and internet service providers to maintain the confidentiality of the metadata that they are required to be retained;
- Requirements imposed on the government agencies of the Commonwealth, States and Territories to protect personal and other information, e.g. protocols, guidelines, better practice guides and policies comprising the Protective Security Policy Framework (PSPF) of Australian Government;
- Requirements imposed on public sector entities under State and Territory privacy laws, which require them to implement additional procedures and policies for dealing with data security breaches;
- Additional requirements in respect of data security breaches imposed on private sector entities under outsourcing contracts they enter into with public sector entities.
Mandatory Notification of Serious Data Breaches in Australia
Privacy Amendment (Notification of Serious Data Breaches) Act 2017 (Cth) has introduced new Part IIIC into the Privacy Act 1988 (Cth) including mandatory reporting of data breaches. The changes will come into effect on a date fixed by proclamation or 12 months after the Royal Assent received on 22 February 2017.
New mandatory reporting requirements will apply to the organisations holding personal, credit reporting, credit eligibility or tax file number information and subject to the Privacy Act 1988 (Cth):
- Australian government agencies;
- Private sector organisations with an annual turnover of $3 million or above;
- Credit reporting bodies;
- Health service providers and holders of health records.
They will be required to notify the Information Commissioner and individuals affected by data breaches that are likely to cause serious harm, e.g. loss of personal information which may be used for identity theft.
In particular, they will be required to:
- Take reasonable steps to assess within 30 days whether there has been a data breach where there are reasonable grounds for suspecting the breach has occurred;
- Unless an exception applies, as soon as practicable after becoming aware of the breach notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of the details of the breach and compromised data as well as recommend actions for the individuals to take.
The exceptions include situations where upon discovering a data breach, an organisation has taken necessary remedial actions before serious harm has occurred. In such case, the breach is not reportable.
Privacy and Data Protection Laws in the Other Jurisdictions
In addition to Australian laws, you should be aware of privacy and data protection laws in the other jurisdictions, which nevertheless may apply to your business. This may be because you conduct your business in an overseas jurisdiction or have transactions with overseas jurisdictions business counterparties or customers. For example, there are mandatory data breach notifications:
- 47 American States;
- Alberta, Canada (the whole Canada is expected to be subject to a mandatory notification regime by 2018);
- South Africa and South Korea;
- Member countries of the European Union (EU) under the new EU General Data Protection Regulation (GDPR) coming into force on 25 May 2018.
The GDPR:
- Introduces strict data security and privacy protection standards;
- Deals with such difficult aspects of data protection as the right to be forgotten, the right to data portability and requirements of explicit consent to profiling;
- Operates extraterritorially and requires non-EU organisations offering goods or services online to the EU data subjects or monitoring the EU data subjects, to adhere to those standards;
- Provides for the high penalties for breaching the GDPR of up to €20,000,000 or 4% of annual worldwide revenue (whichever is higher);
- Provides for mandatory data breach notifications.
The GDPR has significant implications for Australian businesses that hold the data of EU data subjects or that conduct business in the EU.
Legal Risks and Potential Exposure
There is potential for reputational harm to your business as well as for substantial legal liability resulting from a breach of privacy and data protection laws. This includes:
- Personal liability of directors for breach of their obligations under the Corporations Act 2001 (Cth) to exercise their powers and discharge their duties with reasonable care and diligence. Directors must now review data protection risks along with the other risk management activities and introduce necessary procedures to mitigate them;
- Where the entity has raised capital through a public offer, personal liability of directors where cyber risks are not sufficiently disclosed in the disclosure documents to the investors, e.g. prospectus, and they have incurred losses as a result of cyber security incidents occurring;
- Where the organisation is listed on ASX, liability for breach of the continuous disclosure requirements to disclose matters that a reasonable person would expect to have a material effect on the price or value of the shares;
- Liability of the organisation and potentially its officers for claims of misleading and deceptive conduct under the Competition and Consumer Act 2010 (Cth), e.g. as a result of failing to act in accordance with the organisation’s privacy policy;
- Liability for breaches of contracts with suppliers or customers, including specific obligations in relation to data protection and confidential information;
- Liability for breaches of APRA’s prudential standards in respect of outsourcing by APRA regulated organisations, e.g. banks, insurance companies, superannuation funds.
To mitigate the risks, you should consider development and implementation of a Data Breach Response Plan for your business. Such plan would normally provide for:
- Response team members, including senior IT, risk, legal, HR and communications officers;
- When actual or suspected breach should be reviewed by the response team;
- Immediate actions and further steps to be taken by the response team;
- When insurers are to be notified in order not to adversely affect the insurance policy;
- Particular obligations and processes arising from a data breach;
- Particular contractual obligations and requirements arising from a data breach.
Pavuk Legal can provide you with legal advice in respect of your Cyber Security and Privacy matters. These services include contract and transactions review, privacy legislation codes, responses to complaints of breach of privacy, data protection and cyber-related legal and commercial issues.
Many other essential hot topics for business owners is all found in the book Nobody Else’s Business. Nobody Else’s Business is about helping business owners live the life they want to live, now and in the future. It is the ultimate guidebook for succession planning of modern Australian businesses.
To purchase your own copy of Nobody Else’s Business please follow the link http://www.nobodyelsesbusiness.com.au/
For the full range of Legal Services that Pavuk Legal offers please go to: www.pavuklegal.com/services/
