• Home
  • About us
  • Services
  • News and Resources
  • Events
  • Work with Us
  • Contact

IS YOUR BUSINESS’ PERSONAL DATA SAFE FROM NEW LAW CHANGES?

By Sean Melbourne and Elena Nelyubina

Businesses know the convenience of having data at their fingertips. These days even one-person operations have customers’ phone numbers and suppliers’ email addresses readily available on a mobile device. Ready data access is essential to keep up with the pace of business.  

The downside of having easy access to personal data is that it is more vulnerable to hackers, thieves or being sent accidentally to third parties. Businesses now have new obligations under Australia’s Notifiable Data Breach scheme, designed to minimise the negative impact of personal data falling into the wrong hands and to make data breaches more transparent.

WHAT IS THE NOTIFIABLE DATA BREACH SCHEME?

The scheme came into effect last month. It requires many organisations to take specified actions when:

  • an unauthorised third party obtains its personal information; and
  • the breach is likely to cause serious harm to those to whom the information relates.

There’s no clear definition of what constitutes ‘serious harm’ but it needn’t extend just to financial or physical harm.

Don’t forget that personal data doesn’t mean just customer data. It also applies to personal information relating to employees, staff and other external parties.

WHO HAS TO COMPLY?

NDB applies to:

  • Australian Government agencies
  • Businesses and not-for-profit organisations with an annual turnover of $3 million or more
  • Some small business operators, as explained below.

 

IS THIS SOMETHING SMALL BUSINESS NEED TO WORRY ABOUT?

Any organisation with annual turnover of $3 million must comply with the NDB scheme.

Most small businesses don’t hit the $3 million turnover threshold so are largely unaffected by the scheme, however

Small businesses falling under the categories described above, also must comply with the scheme, including:

  • Private sector health service providers
  • Organisations that trade in personal information
  • Credit reporting bodies
  • Employee associations under the Fair Work Act 2009

Additionally, if a small business carries on any of the following activities it must comply with the NDB scheme, but only in relation to personal information held by the entity for the purpose of, or in connection with, those activities:

  • Provision of services to the Commonwealth under a contract
  • Operating a residential tenancy database
  • Reporting under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
  • Conducting a protected action ballot
  • Holding tax file numbers (therefore, any entity which employs staff)
  • Retaining information under the mandatory retention scheme, as prescribed by the Telecommunications (Interception and Access) Act 1979.

Legal risks aside, there are of course reputational risks to having personal information going astray. If you’re a small operator, for instance, and your mobile phone goes missing you’re at risk of customers’ phone numbers, email addresses and physical addresses falling into the wrong hands. The results can be embarrassing; no customer is going to recommend you to friends and family if they know you’ve shared their personal information, even if it’s accidental.

And if you’re an ambitious small business with plans to get bigger, it’s worth starting to think about managing risks relating to how you store and access personal data. That way you’ll be prepared when your income does exceed $3 million.

WHAT TO DO IF YOUR BUSINESS SUFFERS A NOTIFIABLE BREACH

If you need to comply with the NDB and personal information held by your business gets accessed by another party you should notify the Office of the Australian Information Commissioner and all individuals likely to be at risk of harm from the breach. These notifications should:

  • Identify the contact details of your organisation
  • Describe the data breach
  • Outline the kinds of information concerned
  • Make recommendations about steps individuals should take in response

It’s not always easy to know if a data breach has occurred, especially if you’re not a large organisation with expensive firewalls and access to IT staff/consultants. The key is to issue notifications as soon as you become aware of the breach. Obviously the sooner you find out, the less risk there is of the breach causing damage.

PREVENTION IS BETTER THAN CURE

Of course, the best plan of attack is to minimise the risk of having your data retrieved by others. Regardless of whether you are subject to the NDB, it’s prudent to ask yourself a few questions:

  • How do you store your customers’ data and how widely is it shared? Is it stored on the cloud and on mobile devices or contained to one device which is kept at the office?
  • What safeguards do you have in place to protect that information? Do you have suitable passwords and security software in place to protect against hacking?
  • Are you prepared to take suitable remedial actions should customers’ personal information be obtained by an unauthorised third party? For example, can you easily notify affected customers should someone else get hold of their data? Should you consider preparing an NDB response plan?

If you want to know whether your business needs to comply with the NDB contact Sean Melbourne.

Related articles

Digital glowing polygonal brain interface on blue background. Artificial intelligence and circuit concept. 3D Rendering
The World’s First AI Rulebook: The EU AI Act and the Impact on Australia and New Zealand
Businessman signs Paperwork
Understanding Fit for Purpose Obligations in Contracts
Group of diverse coworkers walking down the stairs in an office
From Contractor to Employee: Understanding the New Employment Definition in Closing Loopholes No. 2
Group of colleagues engaging in a discussion during a business meeting in a conference room. Happy business people, men and women, collaborating and working towards their shared goals.
Navigating the new casual conversion process: Key changes ahead

Subscribe to Receive Our Latest Offers and Updates.

Get in
touch.

Email us
evergen
jonas
qmag
hudson
bluefit
pybar
uts
hostopia
Calix Limited Logo
Sofico Logo
Ansarada
For more information or a general chat please email us at info@sourceservices.com.au
Instagram Linkedin

Sydney
Australia Square
Level 42,
264 George Street
Sydney, NSW 2000

Melbourne
Level 33,
360 Collins St
Melbourne VIC 3000

Perth
Central Park
Level 39,
152 St Georges Terrace
Perth, WA 6000

Brisbane
Riverside Centre
Level 19,
123 Eagle Street
Brisbane, QLD 4000

Newcastle
Level 3
21 Bolton St Newcastle
NSW 2300

Auckland
Vero Centre
Level 35
48 Shortland St
Auckland, New Zealand 1010

Source New Zealand is operated by Hamilton Locke (NZ) Limited (Company No. 8463155) trading as Source

Source Legal Australia is operated by Source Services Pty Ltd ACN 150 668 554 (Source Legal Australia).
Liability limited by a scheme approved under Professional Standards Legislation.

Source Legal New Zealand is operated by Hamilton Locke (NZ) Limited (Company No. 8463155) (Source Legal NZ)

Disclaimer