Contents
Data breaches have had strict regulations around them for a while now in Australia. However, the topic has recently been getting discussed more in light of the recent Optus data breach incident.
This has caused some concern for many businesses, but don’t stress! Data breaches can be prevented by having the right cyber security systems in place, and the right legals too.
In addition to training your staff for a situation involving a data breach, you want to draft the right documents to protect your business.
Keep reading to learn more.
What Are Australian Data Breach Laws?
Australian data breach laws are the regulations that set the rules for how data is handled and what happens in case of a data breach.
These laws set the standards on how data should be collected, managed and retained. It also lets businesses know what their responsibilities are when a data breach occurs, such as who to report to.
Privacy Act 1988
As a business, you mainly need to be aware of the Privacy Act 1988 (the Privacy Act) and The Australian Privacy Principles (APP).
According to the legislation, every business that is covered by the Privacy Act (this means all businesses that collect personal information) are required to follow the APP.
As we mentioned, the legislation determines what can and cannot be done when it comes to collecting the data of others. For example, businesses that have an annual turnover of more than $3 million need to have a Privacy Policy in place.
This Privacy Policy should let users know how their information is being collected, the purpose for collection and whether it is being disclosed to any third parties.
What Is A Notifiable Data Breach?
A notifiable data breach occurs when personal information has been accessed without permission or deleted.
Unfortunately, it’s not uncommon for data breaches to occur.
A data breach can happen to anyone, from big companies to small businesses. So, even if you’re a business that is still in its early stages or the only kind of data you collect from your customers are their emails, you still need to be careful and aware of the potential risks.
Even the smallest bit of personal information can aid a hacker and put your business at risk.
What To Do In A Data Breach
When a data breach occurs, time is of the essence! The speed and effectiveness of your response can play a huge role in how your business recovers from this.
Once you have confirmed a breach has occurred, take a detailed and thorough view of what was compromised or stolen. This is important as it helps you assess the extent of your damage.
Next, you will need to make sure you secure your systems quickly. The longer you take to do this, the longer your business continues to remain vulnerable and exposed.
It helps to have a predetermined set of steps put in place so when a breach occurs, you know exactly what to do and aren’t frantically scrambling for a solution.
A Data Breach Response Plan is exactly what the name suggests. It’s a plan that is catered to your business in case of a data breach. That way, everybody knows what they need to be doing and how to go about it.
It’s great to take active measures to prevent a data breach but it is equally as important to be prepared in case things don’t go the way we want them to.
Along with responding quickly when a data breach occurs, you are also legally required to notify all the relevant authorities and people impacted.
Australian Data Breach Notification Laws
According to the Privacy Act and the APP, a business that has experienced a data breach must notify the Office of the Australian Information Commissioner (OAIC) and their impacted customers when the breach occurs.
This is in line with the notifiable data breaches scheme.
As the scheme notes, the notification must include the details of your business, a description of the breach and the information that was exposed as well as the steps being taken to minimise the impact of the breach.
If your business services customers outside of Australia, then you need to follow the respective data breach laws of that region and take action accordingly. This will likely involve notifying the authorities and customers from those countries as well.
For example, if your business conducts activities in the EU, you need to comply with your GDPR obligations.
Australian Cyber Security Laws
As we noted above, for a business, it is your legal responsibility to make sure the data you collect is protected.
If you don’t take reasonable measures to protect your data and an incident occurs, then you could be held liable for the breach.
However, if it is evident that you had done everything you could to keep the data safe, then this could work in your business’ favour.
Therefore, it’s important not just for your customers’ privacy, but also for the security of your business to keep your data protected.
How To Build A Strong Cyber Security System
Building a strong cyber security system is the way to keep your business’ data protected.
The cyber security system is simply the internal processes, measures and programs your business utilises in order to keep data secure.
Every cyber security system will look different depending on the business.
Some ways you can implement a strong cyber security system include:
- Limiting the amount of people that have access to the data
- Only keeping the information that is needed for as long as it is needed
- Getting the help of an IT expert to install protective software, set up passwords, encryptions and make sure everything is in the one place
- Constantly update your security measures
- Make sure all the business’ staff is trained and educated in cyber security
Do I Need A Cyber Security Policy?
A Cyber Security Policy is another way to strengthen your business’ cyber security system. The policy is an integrated way of letting all members of the business know how to manage and protect the businesses cyber security measures.
Cyber security is generally more effective when all employees are aware of it as opposed to it falling on the shoulders of one or a few.
A cyber security policy can be catered to each individual business, but they generally include:
- Information on what employees can access what
- Training and updates on security measures
- Cyber security insurance
- Rules around flexible working arrangements
- Data breach response plan
Talk to us today about getting a cyber security policy for your business.
Key Takeaways
Cyber security is a huge concern for any business. It’s important to stay alert and prepared so you can keep your customers and business safe. To summarise what we’ve discussed:
- Data breach laws are the regulations surrounding the protection of data
- The Privacy Act and the APPs are the main legislative documents businesses need to be familiar with
- A notifiable data breach is when unauthorised access to the personal data a business has possession of occurs
- When this occurs, businesses must take steps to secure their systems and notify the relevant authorities along with the impacted customers
- According to Australian cyber security laws, it’s the responsibility of the business to take measures in protecting the data they have collected
- Having a strong cyber security system and cyber security policy can help in fulfilling this obligation
If you would like a consultation on Australian law data breaches, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
Get in touch now!
We'll get back to you within 1 business day.
Top 3 Legal Mistakes
Book in a free consultation with us to discuss your legal needs.