Important Compliance Update

February 26th, 2018

Important Compliance Update: New Privacy Laws regarding data breaches.

The Australian Government has introduced some new laws around “notifiable data breaches” which came into effect on Thursday, February 22. These new laws establish requirements for responding to instances where the security or privacy of a customer’s information may have been compromised.

What’s changing?
These new laws are called The Notifiable Data Breach Scheme (NDB) and will be included in the Privacy Act 1988 (Cth). The NDB will require us to notify affected individuals if their personal information is affected by a data breach. We will also be required to notify the Office of the Australian Information Commissioner (OAIC).

 

What is a data breach?
A data breach is an instance where the security or privacy of a person’s personal information may have been compromised. For example:

• someone may have gained unauthorised access to the information,
• the information was shared with someone who should not have seen it,
• the information may have been illegally accessed or stolen by persons unknown.

Examples of data breaches could include:

Where you lose a smartphone or laptop containing client information,

• you accidentally email a person’s personal information to the wrong person,
• you left a file unattended on your desk in view of unauthorised persons,
• your computer files have been hacked.

Personal information can be private information or documentation, or it could just be an opinion about an individual. If a data breach does occur, we are now required to notify the OAIC and the impacted individuals as soon as the data breach has been detected.

Who needs to report data breaches?

Data breaches need to be reported by anyone governed by the Privacy Act, or any third parties who hold this information on their behalf. Since Lenders and Connective are governed by the Privacy Act, the new rules will apply to us and all Connective Credit Representatives.

One of the tests to see if your business is governed by the Privacy Act, is if it has had an annual turnover of more than $3million in any financial year since 2002.  If you are unsure, please refer to this checklist prepared by the OAIC, View Checklist.

 

What do you have to do next?
To make things easy for you, we’ve created a Data Breach Notification Policy explaining exactly what you need to do. Please also review the appropriate actions outlined below.

• Please read our Data Breach Notification Policy on the Connective Wiki here.

• If a data breach occurs, or if you suspect that a data breach may have potentially occurred, please notify Connective immediately and follow the steps laid out in the Data Breach Notification Policy.

• If in doubt, or if you’re unsure if a notifiable data breach has occurred, please contact your Compliance Support Manager or email compliance@connective.com.au.

• Please review your business practices regarding privacy of information, data storage and your other systems and procedures relating to the handling of personal information of your clients. Please ensure that your laptop computers and mobile devices have appropriate password protection and institute a clean desk policy to keep files safe.

Connective brokers who are individually subject to The Privacy Act (ACL Holders)

In addition to your obligations under Connective’s Data Breach Notification Policy, if your business is governed by the Privacy Act, you will need to learn about the new provisions of the Privacy Act and ensure you understand your obligations. We would recommend you seek independent legal advice if you require further assistance regarding your own compliance with these new laws.

 

We are here to support you!

If you have any questions, please contact your local Compliance Support Manager, or email the Compliance Team at compliance@connective.com.au If you need further explanation or clarification of the new Privacy Laws, you can email our Group Legal Counsel Daniel Oh at daniel.oh@connective.com.au.