If you are an organisation with a $3 million annual turnover, are contracted by the Commonwealth or simply handle health related or financially sensitive information, you will be affected by the new data breach notification scheme.
As of 22 February 2018, organisations must now notify the Australian Information Commissioner if an eligible data breach has occurred in their organisation.
An eligible data breach occurs where:
- There is unauthorised access to, unauthorised disclosure of, or loss of, personal information;
- The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and
- The entity has not been able to prevent the likely risk of serious harm by taking remedial action.
Any health related or sensitive financial information that would not otherwise be in the public domain that is disclosed, accessed or lost must now be notified to the Commissioner and the affected parties within 30 days of the breach.
Notably, information that is accessed by an external cyber-attack is also an eligible breach.
Organisations are encouraged to ensure all cyber security arrangements and information protection systems are in place to demonstrate that they made their best efforts to mitigate potential breaches.
Further, it is good practice to establish a business plan and a designated person or team within your organisation to take charge when an eligible breach occurs.
A business plan would include having procedures in place to mitigate the breach such as recalling an email or asking the recipient not to open an email and to immediately delete it.
It is essential to demonstrate to the Commissioner that you attempted to mitigate or prevent the serious harm from occurring.
Eligible data breaches and failing to mitigate same can lead to penalties of $360,000 for individuals and $1.8 million for organisations.
For more information on the data notification scheme, or to discuss your organisation’s policies and procedures, please contact our office.