There has been a lot of media coverage recently about the privacy of individual's information and whether it can be shared with others.
Business owners obtain personal information from a variety of sources and should already be familiar with the Australian Privacy Principles. As a result of amendments to the Privacy Act which came into effect on 22 February 2018, businesses with an annual turnover in excess of $3 million need to notify the Office of the Australian Information Commissioner (OAIC), and affected individuals, if there is an eligible data breach. There is now the possibility of fines up to $1.8 million dollars if the Privacy Act is not complied with.
An eligible data breach occurs where:
- There is an unauthorised disclosure of, or access to, personal information and a 'reasonable person' would conclude that there is a 'likely risk' of 'serious harm' to any affected individuals arising from the disclosure or access; or
- Personal information is lost in circumstances likely to give rise to unauthorised disclosure of, or access to, that information and a 'reasonable person' would conclude that there is a 'likely risk' of 'serious harm' to any affected individual.
Data breach and disclosure of personal information can extend to things which are malicious which are done by cyber criminals but can also include things which are as a result of human error in your business and not a deliberate act e.g.: sending an email to the wrong person, leaving a laptop somewhere where others can access, people accessing information that they should not.
Businesses hold staff and client information and in some cases other party information. All businesses should have policies and procedures and training programs in place which deal with the collection and storage of information and what to do when a data breach occurs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.