Amendment to the Online Privacy Bill
We read the online privacy amendment bill so you don’t have to.
Just take a minute to stop and think about all the private data that’s been correlated about you and your activities in the last week, month or year. Amazingly, in just a year it could fill thirteen 32 GB iPads!
Nowadays, most of us would not think twice about giving out our home address, telephone number or even bank account details to companies with seemingly safe & secure web pages. We all place an exceedingly high level of trust in these entities, taking for granted their level of accountability. Especially when considering, currently, there are little protections in place for individuals, with no need for companies to even inform us of a possible security breach!
But now, with a large majority of the electorate supportive of a reform to our current Privacy Act and a rare bipartisan agreement resulting in the formation of the Privacy Amendment (Notifications of Serious Data Breaches) Bill 2015, it seems as if we may soon be able to feel rest assured that precautions are being taken to keep our data safe.
So, what’s in the Bill?
The key strategy here is to make sure that consumers are well protected against online security breaches, with rights of consumers enhanced to extend more control over how their information is collected, handled and disclosed to others. The 2015 Bill also intends to ensure those affected by serious data breaches are notified when breaches occur, so as they may have opportunity to take action to reduce their losses.
What’s a “serious data breach”?
According to the 2015 Bill, a ‘serious data breach’ is when there is unauthorised access to, disclosure of, or loss of, personal information held by an entity. The personal information detailed can include credit reporting, email address, telephone number, credit eligibility information and tax file number information.
Notification of a “serious data breach”.
In the case that a company is aware, or has reason to believe, that a ‘serious data breach’ has taken place, it then becomes their responsibility to inform both the Federal Privacy Commissioner and the affected persons of what has occurred. Notification is needed if it gives rise to a ‘real risk of serious harm’ to the individual, be that physical, psychological, emotional, reputational or financial.
Currently, the Privacy Amendment states that only Government Agencies and private sector organisations with an annual turnover of over $3 million are required to take ‘reasonable steps’ to maintain the security of individual’s personal information. This leaves a broad interpretation of what constitutes as ‘reasonable steps’, with no set of distinct guidelines that the organisations have to adhere to. Also, as the large majority of small businesses have annual turnovers of less than $3 million, yet many still collect important personal data, a significantly large loophole is thus created, significantly lessening the effectiveness of the bill. Law enforcement and intelligence agencies are also immune from mandatory reporting of data breaches.
This applies to my business, what should I do?
There are several things you can do for your business to mitigate any potential harm caused by future data breaches. The first is to audit your business internally through a risk assessment, identifying any security risks where client’s personal information may be vulnerable. The results can then be evaluated and used to propose new business policy as a way to implement safeguard measures and procedures to reduce the identified risks. Education of staff on cyber-security awareness and a strong relationship with your IT department is paramount to making sure standards are set and enforced.
Although the Government is certainly moving forward in the right direction in terms of prioritising cyber-security and realising the possible impacts of data breaches on individuals, there seems to be a disparity between rhetoric and reality. By having a large majority of businesses and law enforcement and intelligence agencies exempt from carrying out the practices detailed in the bill and with too many vague interpretations and no succinct set of instructions for large businesses to comply to, the Bill singlehandedly reduces its own chances of success at achieving its policy objectives.
The Commonwealth Government are currently taking comments and criticisms from the general public on this possible Amendment, so if you feel like there could be some improvements, just as we do, then get your comment in before the 4th of March 2016. You can send them an email here.