Are you a business with an annual turnover of $3 million, a reporting entity under the AML/CTF regime, or a credit reporting body? Do you collect customer details such as their name, address, telephone number, date of birth, bank account details, tax file numbers or opinions?

If you answered yes to the questions above then guess what? The Privacy Act 1988 (Cth) applies to you, and guess what this week is… it’s Privacy Awareness Week (PAW)!  PAW is a great opportunity for you to review your organisation’s compliance with the Privacy Act and also understand the new Notifiable Data Breach (NDB) Scheme which will take effect on 22 February 2018.  In essence, the Privacy Act governs the safekeeping of personal information that you collect from your customers.   

A data breach is a situation where the personal information you hold is viewed, disclosed, stolen, modified or used by persons unauthorised to do so and it is a common cyber risk for any organisation. Remember Yahoo, the 1 billion accounts that were hacked and the resulting $350 million reduction in its valuation? An essential risk control strategy is to implement a Privacy Program in which to hold and manage personal information which you collect. Compliance with the Privacy Act should be a key feature of any organisation’s risk management framework and is key to demonstrating that you have met your AFS general licensing obligations to have adequate risk management systems and information technology resources in place.

Since 2014 when the Australian Privacy Principles (APP) were introduced, CompliSpace has been advocating that “simply publishing a privacy statement on your public website is not enough.” This is because practicing privacy everyday involves more than just directing staff, clients and other stakeholders to your privacy policy – assuming you have one.  As our recent article explained, in addition to increasing regulatory demands, there has also been an increased focus on Operational Due Diligence (ODD) within the Asset Management community. ODD assesses not only an organisation’s policies, processes and procedures, but also its risk culture including the energy and effort it allocates to bring the policies, procedures and control activities to life.

If you are one of the many organisations who do not have a Privacy Program in place, or even a Privacy Policy for that matter, you are running the risk that in the event of a data breach, which is reportable under the new NDB regime, that you will not meet the reporting requirements resulting in serious financial and reputational consequences for your organisation. In addition, AFSL holders may discover that a NDB may also be a significant or material breach reportable to ASIC in accordance with your obligations under the Corporations Act. From a commercial perspective, a lack of a Privacy Policy and compliance activities to support it may demonstrate a weakness in your risk management control framework, which may prevent you from passing an ODD assessment and costing you a lucrative investment mandate.

All organisations should use PAW to check their compliance with the Privacy Act as part of a Personal Information Management Audit. Undertaking the Audit will not only allow you to assess the corporate culture implied by your Board, senior management and Risk Management framework but also check for deficiencies.   All of which will lessen your workload when it comes to meeting the obligations of the new NDB Scheme by February next year and also increase compliance with your AFSL obligations and ability to succeed in any ODD undertaken on your organisation.

New Notifiable Data Breach Scheme

From the 22 February 2018, organisations will be required to report data breaches to the OAIC and to the people whose data has been lost or released inappropriately.  We wrote an article about the NDB Scheme earlier this year when the laws were passed by Parliament.  The occurrence of a data breach will indicate that an organisation has failed to comply with APP 11 which requires an organisation to take ‘reasonable steps’ to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure

According to the ACAPS Survey over 94%  believe if a business loses their information they should be told about it. Over eight in ten people agrees strongly with mandatory data breach reporting.

CompliSpace has produced a briefing paper which explains the NDB Scheme, how it will affect organisations and what they should be doing now to prepare for the laws taking effect in 2018.  The paper is available here: Privacy Update: Mandatory Notification of Data Breaches. Organisations are effectively on notice to ensure that they have developed and implemented a Privacy Program in so the employees of the organisation understand how to protect personal information in accordance with APP 11.

 

How CompliSpace can help

CompliSpace delivers industry specific web-based programs to manage your risk and compliance requirements that can be quickly tailored and configured to suit an organisation’s needs and are kept up-to-date with legal and regulatory changes by our team of specialists.  In response to the introduction of the NDB scheme, CompliSpace has developed detailed policies and procedures to update our Privacy Program, including a DBR Plan that address the provisions under the legislation. The new policies and procedures are designed to integrate into an organisation’s existing Privacy Program and be tailored to the particular circumstances of each organisation.

Our team of compliance professionals and lawyers combine extensive expertise with practical technology-enabled solutions to simplify the complexity of the regulatory environment and allow our clients to focus on allocating resources toward improving financial performance.

Please contact Brooke Benson to discuss how we can assist you further in meeting your privacy obligations.

This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require assistance or advice please contact us on (02) 9299 6105.