The Australian Privacy Amendment (Notifiable Data Breaches) Act 2017: What You Need to Know

Last updated: 03 October 2017

The Australian government has been working to update their Privacy Act of 1988 with the Privacy Amendment (Notifiable Data Breaches) Act of 2017. That sounds like a lot of legislative jargon, but the Amendment is very important for people whose responsibility it is to protect data in Australia. Data breaches hit the news in a big way with the recent Equifax incident in the U.S., but Australians are just as susceptible to data breaches which could put them at risk.

The Amendment defines the scope of breaches that it applies to, and regulates the security of Australian data stored overseas. So, the Amendment is just as relevant to Google servers in California as it is to Australian data centres.

Here are some basic facts you need to know:

When does it take affect? 22 February 2018

Who must comply with it? The Notifiable Data Breach scheme applies to Australian, Australia Capital Territory and Norfolk Island public sector agencies; private sector organizations with an annual turnover of more than $3 million; health service providers; and some small businesses and nongovernment organizations.

What types of data breaches does the Act enforce? Organizations are only required to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates. Exceptions t will apply for some data breaches, meaning that notification to individuals or to the Commissioner may not be required.

How will the Act identity data breaches that cause serious harm? Serious harm will be determined by the kinds of information involved, its sensitivity, whether it was protected (including by encryption and access controls), and the kinds of persons who have obtained the information. The objective test will apply to assess reasonableness, meaning that what is reasonable is a question of fact in each individual case. Examples of harm could be identity theft, financial loss

What must organization do when they discover a breach? When an organization is aware that there are grounds to believe that there has been an eligible data breach, it must, as soon as practically possible prepare a statement outlining the information compromised by the breach, steps individuals should take in response – and give a copy to the office of Australia’s Privacy Commissioner.

Will organizations be required to notify affected? Yes, organizations will have to notify people whose information has been compromised, either directly or by posting a message on their web site.

I believe this Amendment is crucial. Many corporate data centres and networks are ill prepared for attacks on Australians’ data.

According to Malwarebytes’ State of Ransomware report for Australia, ransomware attacks have made 22% of Australian small and medium sized businesses halt their operations. Ransomware attacks definitely count as cyber-attacks on data, as they encrypt files on hard drives so that users and administrators lack access to their data.

Gemalto’s Rana Gupta understands how important and challenging it is to protect data and computer systems. The matter grows in significance when IoT is also considered. Everyday technology like cars and household appliances are also at risk.

“Organizations – especially those who provide critical services, including healthcare and utilities – were willing to pay ransom to avoid losing data or having their systems shut down, simply because they couldn’t afford to halt their operations even temporarily, let alone days. This no doubt had boosted the ego of the cybercriminals and fueled similar attacks.

In 2016, we saw IoT-based DDoS attacks for the first time. We expect such attacks on IoT devices to continue growing globally and in APAC.

By today, it has been proven repeatedly that connected cars can be hijacked via its internet-enabled telematics box – even Tesla is not impervious to this type of hacking – safe to say we will continue to see more cases of technology-led accidents, highlighting the need to continuously engage in the discussion of security.

IoT device security works best if manufacturers and relevant parties of IoT devices take ownership of this issue and better secure their devices, instead of leaving them to their customers to handle.”

Gemalto’s Graeme Pyper knows that Australian businesses should get serious about data protection.

“Data Protection Officer isn’t a job title I’ve heard a lot (while taking to Australian businesses.)

You don’t need to boil the ocean as long as you’re doing sensible things. But you can’t continue without having those protection mechanisms in place.”

Gemalto’s Rana Gupta has noticed how some Australian businesses react to data protection regulations like the Amendment and the GDPR.

“Based on the seriousness of the offence (when companies fail to inform the necessary authorities in the event of a qualifying breach), we see companies listening closely and making plans to beef up their data protection schemes.

Apart from the monetary loss, there are other intangible prices a compromised company has to pay. In today’s digital world, consumer trust in a business to protect their data can make or break a company.”

Hopefully, Australian organizations will take data protection regulations like the Amendment seriously. According to the Gemalto Breach Level Index, Australia was hit by more data breaches in the first half of 2016 than any other country in the APAC region.

Here are some basic steps businesses can take to start their preparations for the Australian Privacy Amendment Act of 2017:

  • Identify where sensitive data resides
  • Minimize the number of data repositories where possible
  • Safeguard data by using encryption and key management
  • Control user access to applications and data using multi-factor authentication

To learn more, Gemalto has a free guide to the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 which you can download here.

Leave a Reply

Your email address will not be published. Required fields are marked *