From February 22, 2018 the Notifiable Data Breach Scheme, an amendment to the Australian Privacy Act, came into force in Australia. In addition to the NDB, the European GDPR will come into force on May 25, 2018.
The Australian Privacy Act has undergone many changes since its inception, the latest being the introduction of the Notifiable Data Breach Scheme, also known as NDB. The NDB scheme sets out obligations for notifying affected individuals, and the Australian Information Commissioner (AIOC), about data breach, that could result in serious harm to an individual. It aims to strengthen protections to personal information by providing individuals the opportunity to take steps to protect personal information. The Australian Privacy Act, and by extension the NDB, will affect Australian businesses that have an annual turn over of more than $3 million. To find out if you are covered by the Australian Privacy ACT, view the Privacy Act here.
In basic terms, if you are covered by the Privacy Act, and you collect or process personal data on an individual, then you need to ensure your business meets the Australian Privacy Principles outlined in the Act, and comply with the NDB. If a data breach occurs, i.e., someone gains unauthorised access to personal data you hold, then it is up to the business, to comply.
What is Personal Data
Personal data is any information collected that can uniquely identify an individual. This could include, name, email address, phone number, IP address, personal address. If your website includes functionality such as online shops, newsletter campaigns, blog subscriptions, or memberships then it is likely that personal information is both collected and processed.
General Data Protection Regulation (GDPR) and Australian Business
The General Data Protection Regulation (GDPR) was approved by the EU Parliament and will be enforcement on 25 May 2018 - at which time organisations in non-compliance may face heavy fines. While this is an EU directive it will indirectly affect Australian business if an entity collects personal information on EU citizens. In other words, if your business sells online to EU citizens, processes information about EU citizens then you must comply with the regulation.
What does all this mean for you?
From an internal business perspective organisations will need to delve deeper into data privacy practices to ensure compliance. Links will be provided at the bottom of this post. For your website however, there are several things you can implement now.
- Check that you have an up-to-date privacy statement on your website that is easy to find and its content is easy to read. This means using easy to understand terms and removing legal jargon that may not be understood.
- If the data is processed by a third-party service provider, i.e., Mail Chimp, it is the responsibility of your business (the controller) to make sure the service provider (processor) is also compliant.
For the GDPR you must ensure an individual can:
- make changes to the data you hold (update information)
- can be erased completely
- request what data you hold about them
- should a breach occur, notification of the breach must be transparent, i.e., the individuals involved must be notified.
This was just a quick introduction to the latest Privacy Laws that may affect Australian Business. If you have a website that collects or processes personal information we can provide an overall assessment and advise on what changes (if any) need to occur.
More Information about the Australian Privacy Act and the GDPR
- Australian Privacy Act
- Australian Privacy Principles
- Notifiable Data Breaches Scheme
- Australian Business and the GDPR (OAIC)
- General Data Protection Regulation (GDPR)
- GDPR and Australian Payroll Functions
- Mail Chimp and GDPR Compliance