As seen in the February edition of the QHA Review.
When the Australian Privacy Act 1988 was introduced in the 80s, I doubt the legislators could have envisaged the technological advances we have seen in the last 30 years, or how heavily we would rely upon technology in 2020. In 1988, phones were still fixed to landlines, and we actually had to walk across the room to change TV channels. Today, we rely on our smart phones for all of life’s interactions – whether it be communicating with loved ones, taking photos, paying bills, shopping or getting directions.
This reliance on technology has resulted in an exponential increase in the data and personal information collected, stored, used, and shared by organisations on a global scale.
In 2018, Facebook reported that the accounts of nearly 90 million users had been compromised. The details of more than 500 million Marriot guests were also hacked, revealing customer data dating back to 2014.
In response to the growing privacy concerns, the Australian Government introduced the Notifiable Data Breaches (NDB) scheme in February 2018, with a view to enhancing governance and updating individuals’ rights to enjoy privacy, across both public and private sectors.
What is the NDB scheme?
The NDB scheme requires entities to notify affected individuals and the Privacy Commissioner where a data breach occurs involving personal information that is likely to result in harm to any individual affected.
It is important to understand that data breaches don’t just occur as a result of hacking, but can occur from simple human behaviour leading to disclosure of personal information.
In fact, 37% of the 487 data breach notifications received by the Office of the Australian Information Commissioner (OAIC) between July and September 2018 were caused by human error, such as:
- personal information sent to the wrong recipient (including putting the wrong letter in the wrong envelope or forgetting to use the blind carbon copy (BCC) function in bulk emails);
- loss of paperwork/data storage device;
- unauthorised disclosure including unintended release or publication;
- insecure disposal;
- theft of paper work or data storage device;
- rogue employee who fails to comply with policy or who deliberately accesses information without authorisation.
Does the NDB scheme affect publicans?
Any organisation which is covered by the Privacy Act 1988 is also bound by the NDB scheme. The legislation generally impacts all publicans, meaning it is particularly important that you carefully consider the way you use your customer databases, in order to avoid breaching any legislation. While sending bulk emails with venue offers to your entire database seems a great way to reach a wide market, it is imperative that you consider recipients’ rights and ensure you are handling their personal information in a way that complies with legislation.
What to do when there is a data breach
When a data breach has occurred, organisations must promptly assess (within days rather than weeks) whether individuals are at likely risk of harm and whether steps could be taken to contain the breach. The Commissioner must also be notified about an eligible data breach as soon as feasible, if that is required.
Just as technology continues to evolve, publicans must too continue to review and update how they collect, store and handle personal information. It is essential to keep moving with the times, assessing where risks lie (both internally and externally), reviewing and updating policy (‘set and forget’ won’t be acceptable) and developing appropriate response plans – should they ever be needed.