Preparing for the Notifiable Data Breaches Mandatory Reporting Scheme
Mandatory Reporting of a Notifiable Data Breach – The Office of the Australian Information Commissioner (OAIC).
The OAIC is a Federal Government body and its 3 primary functions are as follows:
- Privacy functions, conferred by the Privacy Act and other laws.
- Freedom of information functions, in particular, oversight of the operation of the Freedom of Information Act 1982 (FOI Act) and review of decisions made by agencies and ministers under that Act.
- Government information policy functions, conferred on the Australian Information Commissioner under the Australian Information Commissioner Act 2010 (AIC Act).
We are going to focus on part of the 3rd function which relates to your IT systems and the security of personal information.
The presentation I was on last week had about 1500 participants which is a pretty big audience as it is such a massive issue which we all need to be aware of.
The reason that it is picking up momentum is that the release date for the Legislation from The Australian Government is on the 22nd Feb 2018. This is now about 2 ½ months away.
The goal of the legislation is how it aims to protect Personal Information in relation to the Privacy Act.
There are penalties based on disclosure of personal privacy information and they can get up to about $2m. Intentional breaches will be hit hardest.
You have 30 days to conduct an assessment if you believe that your organisation has been breached.
- Anyone in the health sector and that includes all Personal Trainers and gyms as well as any medical centres, specialists, hospitals, carers, disability etc.
- Private Schools and Colleges plus Universities
- Any organisation that generates over $3m in revenue. So, any organisation that takes payments from individuals so think retail, web stores, entertainment, etc. Also think about your HR Department (staff) and Accounting Departments (staff bank accounts) as well.
- Think financial planners, accountants, legal, real estate and the list goes on.
This legislation has a very broad reach.
If you do not consider this information and seriously look at how you manage your security and do end up with a date breach you could be negligent and penalised.
Go to this link for more information: https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/
You will also find the ‘Combined set of APP guidelines (as at 1 April 2015)’ at the above link.
Below is an outline of the process that needs to be taken if you believe your organisation has been breached.
This legislation is coming at us very quickly and we need to look at how each of our businesses will be impacted.
Go Systems has a solution which will cover the 9 points that are raised within the legislation.
Thanks for having a read.