30 January 2018 | Reading time: 2 minutes
It is easy to forget the little things when you delegate your responsibilities, especially if your delegates are the ‘experts’. However, some seemingly ‘small’ responsibilities can be very costly to neglect.
With the impending implementation of Australia’s mandatory data breach notification law on 22 February 2018, it is time to reassess the little things and take responsibility for handling personal information (whether digital or not).
It is no excuse, under Australian privacy law, to say that your business engaged the services of another entity responsible for managing your data storage mechanisms and protection systems.
So who is responsible for compliance under the Privacy Act 1988 (Cth)?
Not only the big businesses.
If your business:
you will need to comply with the Privacy Act.
The tech people said they’d take care of it.
Instances of hacking, accidental data leaks and ransomware events are on the rise, and no matter how advanced the tech systems, often the ‘hackers’ are one step ahead. 2017 saw the events such as:
The extensive media coverage and public relations disasters from these events illustrate how important it is for businesses to consider what they should do both before and after the event, rather than mere reliance on third party services. Importantly, there is a legal requirement to do so as well.
What it means to comply.
One aspect to ensuring your business complies with privacy laws is the manner in which obligations are documented in a service agreement with a third party service provider. However, it may not be possible to fully encompass some of the mandatory data breach notification scheme obligations in these agreements.
It is therefore imperative that, before 22 February 2018, businesses:
One of our privacy experts at Bespoke would be happy to discuss the ‘eligible data breach’ and the mandatory data breach notification scheme with you in more detail.
Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) sections 26WB, 26WE, 26WH, 26WL, 26WR; ‘Who should notify?’ (August 2014) Office of the Australian Information Officer.
Privacy Act 1988 (Cth) section 6FB.
Privacy Act 1988 (Cth) sections 6C and 6D(4).