Important compliance update: New Privacy laws regarding notifiable data breaches

February 12th, 2018

 

From 22 February 2018, new privacy laws come into effect, called the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).

What’s changing?

The Privacy Act 1988 (Cth) is changing to include mandatory notifiable data breach provisions.

These new provisions require any entities governed by the Privacy Act, including Connective, lenders and some mortgage brokers, to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if any Personal Information it holds, or third parties hold on its behalf, is impacted by a data breach.

For more information on these changes, please refer to https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme.

What is a data breach?

Under these new provisions, an “eligible data breach” is unauthorized access to, or disclosure or loss of, Personal Information that a reasonable person would conclude is likely to cause serious harm to individuals to whom the information relates. Basically, examples of data breaches could include the loss of a smart phone or laptop, accidentally emailing Personal Information to the wrong recipient or your personal files being hacked.

If a data breach does occur, you are required to notify OAIC and the impacted individuals.

“Personal Information” is information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Do these new laws impact me?

These new provisions are mandatory for all entities which fall within the scope of, and are governed by, the Privacy Act. One of the tests to see if this is you is whether your business has had an annual turnover of more than $3million in any financial year since 2002.

If you are unsure, please refer to this checklist prepared by the OAIC (https://www.oaic.gov.au/resources/agencies-and-organisations/business-resources/privacy-business-resource-10.pdf).

What do I need to do in relation to these new laws

1. All Connective brokers (regardless of whether you are subject to Privacy Act or not)

As Connective and each member of our lender panel are governed by the Privacy Act, if a data breach occurs, or you suspect a data breach has occurred, please notify Connective immediately and follow the steps set out in our Data Breach Notification Policy.

Please click here to view this policy, which provides information regarding your obligations and what constitutes a data breach. Please take time to read this policy, as it is a really important document that protects your clients!

Now is also a great time to review your business practices, especially around privacy, data storage and other systems and procedures relating to the handling of Personal Information of your clients.  For your information, our updated IT security compliance certificate for Mercury will be available on 20 February 2018.

If in doubt, or if you’re unsure if a data breach has occurred, please contact your Compliance Support Manager or email compliance@connective.com.au.

2. Connective Brokers who are individually subject to Privacy Act

In addition to your obligations under Connective’s Data Breach Notification Policy, if your business is separately governed by the Privacy Act, you will need to familiarize yourself with the new provisions of the Act and ensure you understand your obligations. We would recommend you seek independent legal advice if you require further assistance regarding your own compliance with these new laws.

We are here to support you

For further information on these new privacy laws, or your or Connective’s requirements in relation to these new laws, please contact our Compliance Team or our Group Legal Counsel Daniel Oh directly on 0481 288 360.