Beginning 22 February, some brokers are legally required to report to both government and affected individuals instances of data breaches involving personal information that could result in “serious harm”.
The new Notifiable Data Breaches (NDB) scheme was established after an amendment to the Privacy Act last year.
To continue reading the rest of this article, please log in.
Looking for more benefits? Become a Premium Member.
Create free account to get unlimited news articles and more!
Looking for more benefits? Become a Premium Member.
The new law aims to improve the protection of personal information, specifically with regards to electronic data.
As of Thursday (22 February), all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) will be obliged to notify individuals whose personal information is involved in a data breach that is “likely to result in serious harm”.
This could include the loss of a smartphone or laptop, accidentally emailing personal information to the wrong recipient or personal files being hacked.
Although the Privacy Act generally does not include small businesses that have a turnover of less than $3 million a year, the NDB scheme will apply to organisations that trade in personal information and credit reporting bodies and to any persons in possession or control of a record with tax file number information, among others.
Relevant brokers will also have to notify the Office of the Australian Information Commissioner (OAIC) of “eligible data breaches” (for example, the loss of unencrypted memory sticks that contain personal information). More details on what constitutes an eligible breach can be found on the OAIC website.
The notification to affected individuals and the commissioner must include the following information:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned
- recommendations about the steps individuals should take in response to the data breach
Failure to comply with the NDB scheme can entail fines of up to $2.1 million.
The move comes after the 2017 Australian Community Attitudes to Privacy Survey found that 94 per cent of Australians believe they should be told if a business loses their personal information, and 95 per cent said that they should be told if a government agency loses their personal information.
The Australian Information Commissioner, Timothy Pilgrim, commented: “The Notifiable Data Breaches scheme formalises a long-standing community expectation to be told when a data breach that is likely to cause serious harm occurs.
“The practical benefit of the scheme is that it gives individuals the chance to reduce their risk of harm, such as by re-securing compromised online accounts. The scheme also has a broader beneficial impact — it reinforces organisations’ accountability for personal information protection and encourages a higher standard of personal information security across the public and private sectors.
“By reinforcing accountability for personal information protection, the NDB scheme supports greater consumer and community trust in data management. This trust is key to realising the potential of data to benefit the community, for example, by informing better policymaking and the development of products and services.”
‘Once [brokers] recognise a breach, they need to start moving on it and acting on it’
Speaking to The Adviser ahead of the new scheme, Connective’s group legal counsel, Daniel Oh, reminded Connective brokers to notify the aggregator’s compliance support manager immediately should a suspected data breach occur.
Mr Oh said that while brokers will themselves need to establish whether they are subject to the new laws, Connective is urging all brokers to contact the aggregation company should there be a data breach, as Connective itself is legally bound to report any such eligible breaches.
“These laws apply to Connective, but they also apply to our lender partners.
“So, our general policy is that if a data breach has happened, contact us and let us know as soon as possible. Obviously, the requirement under the Act is to try and remediate the situation, to try and mitigate and fix it.
“We will work with our brokers to try and fix it, whether it is to advise and look at their IT systems or whether it is to call the affected persons and tell them what has happened etc or destroy certain files etc.”
Mr Oh continued: “We can work together either before or after mitigation steps have been taken and establish whether there is still an obligation to report this to the OAIC or not.
“The key thing is that once [brokers] recognise a data breach has happened, they need to start moving on it and acting on it.”
He urged brokers to ensure that they “have appropriate security, appropriate password locks... and sensible practices and processes around data security” to protect borrower data.
Connective added that if broker businesses are separately governed by the Privacy Act, they recommend that brokers “seek independent legal advice” should they require further assistance regarding compliance with these new laws.
A suite of resources are available from the OAIC to provide further guidance on the NDB scheme.
[Related: More than half of Australians at risk of cyber crime]