I doubt that many of us would have envisaged the advances in technology which we have seen over the last 30 years. In 1988, phones were not smart (they were still fixed to landlines), personal computers were in their infancy and relied on dots for graphics, and alternative media meant it was necessary to get up from your chair and walk across the room to change (with a choice of four) channels on the TV.
At the same time the Australian Privacy Act 1988 was introduced. No doubt the legislators would never have conceived how differently we do things today and how heavily we reply upon technology in our everyday life. Communicating with friends, taking a photo, paying a bill, getting directions, shopping, and renewing our car registration are all interactions capable of taking place online and generating data…the list is endless. That has resulted in an exponential increase in the amount of data and personal information collected, stored, used, and shared by organisations on a global scale.
This has governments around the world very concerned, and many have taken steps in the last 12 months to address the changes in use of technology and to update the rights which individuals enjoy to privacy.
In September Facebook reported that the accounts of nearly 90 million users had been compromised. The details of more than 500 million Marriot guests were also hacked, revealing customer data dating back to 2014.
Given those concerns, 2018 became the year a number of regulatory developments were introduced in Australia to enhance privacy governance across both public and private sectors. Internationally, on 25 May the European Union’s General Data Protection Regulation (GDPR) took effect. Those rules apply to Australian businesses operating in the EU or dealing with European citizens. (See our article here.) Domestically, the Notifiable Data Breaches (NDB) scheme also came into effect on 22 February 2018.
The NDB scheme requires entities to notify affected individuals and the Privacy Commissioner where a data breaches occurs involving personal information that is likely to result in serious harm to any individual affected.
It is important to understand that data breaches don’t just occur as a result of hacking, but can occur from simple human behaviour leading to accidental loss or disclosure of personal information. Examples of data breaches include the following incidents:
Any organisations which must comply with the Privacy Act 1988 will be bound by the NDB scheme. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more. Some organisations such as credit reporting bodies and health service providers must comply even if they don’t meet the $3 million threshold due to the sensitivity of the information which is collected.
When a data breach has occurred, organisations must promptly assess whether individuals are at likely risk of serious harm and whether steps could be taken to contain the breach. That must be done promptly (within days rather than weeks). The Commissioner must also be notified as soon as practicable, if that is required.
Putting the NDB scheme into perspective, according to statistics from Office of the Australian Information Commissioner (OAIC) from 1 July 2018 to 30 September 2018, OAIC had received a total of 487 data breach notifications. The top five industries by number of notifications are:
Across all sectors, 37% of the breaches are caused by human error such as:
In comparison, 57% of breaches are caused by malicious or criminal attacks such as:
As with the development of technology, businesses must continue to review and evolve how they collect, store and handle personal information. It is essential to keep moving with the times, assessing where risks lie (both internally and externally), updating policy (set and forget won’t be acceptable) and developing appropriate response plans – should they ever be needed.
This article was written by Kate Fei, Solicitor, and Andrew Nicholson, Partner
"The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication."