Protecting Personal Data: How to Prepare for Data Protection Law Changes
Many companies keep a trove of personal information on their customers in both paper and electronic form. But not every company knows how to keep that data safe. With legislative changes coming in 2018 it will mean that organisations need to ensure their policies are fit for purpose – or pay the price.
Data privacy and protection in Australia is currently regulated through a mix of federal, state and territory legislation. The most overreaching, the Privacy Act 1988 (Cth), applies to private sector entities with an annual turnover of at least $3 million and all Federal Government and Australian Capital Territory Government agencies. The Privacy Commissioner operates through the Office of the Australian Information Commissioner (OAIC), the national data protection regulator.
An organisation that breaches the Privacy Act is currently under no legal obligation to report that breach to any of the individuals whose data is compromised, or the OAIC.
But those laws will change dramatically in 2018, when companies will be legally obliged to disclose data breaches and they need to act now to protect their sensitive information. The Federal Government’s Privacy Amendment (Notifiable Data Breaches) Bill 2016 establishes a regime for mandatory notification of data breaches that relate to personal information, credit reporting information, credit eligibility information and tax file numbers.
Under the new laws serious or repeated privacy breaches may attract a maximum penalty of $360,000 for individuals and $1.8 million for companies.
According to the new Privacy Act rules, a data breach occurs where there has been unauthorised access to, or disclosure of, personal information, or when circumstances arise which are likely to lead to unauthorised access or unauthorised disclosure. These breaches will need to be reported to OAIC.
There are a number of risks associated with data breaches. Insecure information practices can open the door for identity fraud. According to the Australian Bureau of Statistics, this costs the Australian economy around $1.6 billion every year. And employees may also be put at risk of security breaches if payroll information or human resources information is leaked out.
Shred-it’s 2016 Security Tracker research conducted by IPSOS found that the majority of businesses had some awareness of the legal requirements and fines associated with data breaches. But most were not doing enough to prevent risks from arising.
Businesses must be mindful that awareness does not equal compliance. There remains a real gap between the awareness of the need to avoid security breaches and the implementation of security policies on a practical level, especially for SMEs.
A document management policy, including clear retention periods for different types of documents, is the best way to keep track of the various minimum legal requirements. Such a policy ensures that confidential information is not kept for so long that it becomes a security breach risk.
Businesses should have strict policies on encrypting customer data stored on-site or on the cloud. They also need a device control strategy to identify and control the use of removable storage devices such as USB drives to help stop personal information leaving their premises. Physical data should be stored in a secure place where only relevant employees can access that information.
By staying one step ahead and applying and enforcing preventive measures, businesses will be in a stronger position to uphold the integrity of their information and ultimately the reputation that will ensure their future prosperity.
Start Protecting Your Business
To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and data security risk assessment.