The Australian Government have recently passed a new privacy amendment – the Privacy Amendment (Notifiable Data Breaches) Bill 2016 – to the Privacy Act 1988. With the passing of this new amendment, the question everyone is now asking is “How will that affect me?”.
This Bill introduces mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the Australian Privacy Act. When this law comes into effect (a set date is yet to be confirmed) organisations who hold any kind of private personal data of Australian citizens will need to make sure they are doing all they can to protect this information. Just like the GDPR, this is not just applicable for organisations based in Australia, but rather for any organisation globally who holds this kind of data on Australian citizens.
The main focus of this amendment is to make sure users are notified when their data has been compromised in a data breach. Organisations will need to make sure that those affected, as well as the information commissioner, are informed within 30 days of a data breach occurring. Failure to do so can result in strict penalties; fines will be up to $360,000 for individuals, and $1.8 million for organisations with an annual turnover more than $3 million.
This amendment puts the Australian legislation into very similar ground to the US security breach notification laws. These laws require any organisation that has suffered a data breach to notify their customers, and other affected parties, about the breach and to take steps to remediate injuries caused by the breach.
With these changes approaching within the next year, what can organisations – specifically those based in Australia – do to make sure they minimise the chance of a data loss incident from happening? The first step is understanding what important and sensitive information you have stored – without knowing what data you hold, you cannot make adequate plans to protect it. Once you have understood what it is you need to protect, you can then use a data classification tool such as Boldon James Classifier to make sure that data is given the appropriate visual and metadata labels. This protection ensures that sensitive data does not leave the organisation, or even get sent to the wrong people internally.
As mentioned, an implementation date has not yet been formalised, but we do know this regulation will definitely be enforced at some point over the next 12 months, which leaves plenty of time for organisations to ensure their data is appropriately protected. For more information about how data classification can help your organisation stay compliant under the latest amendment to the Privacy Act 1988 contact us, or request your free demonstration of Boldon James Classifier now.
You can also download the free two page information flyer on how your organisation can stay compliant with the Australian Privacy Act.