On 13 February 2017 the Privacy Amendment (Notifiable Data Breaches) Bill 2016 came into effect, bringing mandatory privacy breach notification to Australia. The new legislation will require any agencies or organisation regulated by the Privacy Act to notify the Australian Information Commissioner and affected individual in the event of a data breach.
Exceptions to the Act aside, the legislation does highlight the need to actively manage personal information held by organisations. Knowing where to start is often difficult. Below are three key activities that your organisation should consider in light of these new requirements.
1. Understand where, why and how you collect personal information
The Australian Privacy Act 1988 defines personal information as, “information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not”.
Nearly every business collects personal information, but few actively consider why information is being collected, or how it is being used. Having a consolidated view of the personal information that is collected, why it is needed and how it is sourced is a great starting point for actively managing privacy requirements.
It’s also an important step for many reporting and analytics efforts. Information asset discovery audits are a useful activity if you really don’t know what is currently being collected.
2. Know where you store and how you manage personal information
Knowing what you collect is half the story. The other half is having a clear understanding of where personal information is stored, and how it is managed throughout its lifecycle. This understanding is crucial to demonstrating that personal information is kept secure, that an individual can be provided access to their information on request, and that personal information can be corrected if necessary.
3. Have a plan to respond to privacy breaches
Privacy breaches happen. This site even makes beautiful images out of privacy breaches. Even with the best plans and defences, personal information may be inadvertently disclosed. Having a clear plan to respond to a privacy breach is crucial for a number of reasons.
Firstly, it reduces the time to respond to the privacy breach, because a process is available to follow. Secondly, a defined response process helps ensure that appropriate regulators and stakeholders are notified proactively. Finally, a defined process demonstrates a commitment to your customers to protect their information and to privacy in general. A structured decision tree or process and plan of attack, developed before it’s needed, is the key to successfully responding to privacy breaches.
A review of your personal information collection and storage practices will not only ensure compliance with the new legislation, but could also reduce costs and improve the overall customer experience with your business.