Changes to the federal Privacy Act 1988 (Cth) which commenced from 22 February 2018 now create notification obligations when personal information has been disclosed or lost. Given these changes, it is important to ensure that employees who have access to personal information under the Privacy Act are aware and trained in your security procedures. Employees should know what to do if personal information is disclosed or lost.
In an age of digital and flexible working environments, it is not uncommon for employees to take work home with them. Customer lists, client banking and payment details, patient medical records, or tax-file numbers are no longer confined to a draw in a filing cabinet, locked in an office. Personal information is stored in the 'cloud,' on a USB, or simply printed off to review later. This risk of this information being lost, disclosed, or even hacked is increasing.
The new Privacy Act requirements mean that any holder of personal information must notify any affected individuals and the Privacy Commissioner on becoming aware that there are reasonable grounds to consider that an 'eligible data breach' has occurred.
An eligible data breach may arise when:
- there is unauthorised access to, unauthorised disclosure of, or loss of personal information
- this is likely to result in serious harm to any of the individuals to whom the information relates
- the likely risk of serious harm has not been prevented through remedial action.
When considering whether the disclosure of loss of the information is likely to result in serious harm, some of the factors to consider include
- the type of information and sensitivity of that information
- any security measures in place to protect the information and the changes of those security measures being over some
- the type of people who may obtain the information
- the nature of the harm.
Examples of eligible data breaches may include a customer mailing distribution list containing addresses and dates of birth of customers being uploaded to the company's public webpage instead of a secure section of the intranet; an email being sent to an incorrect recipient containing the billing information of clients, or a USB containing tax file numbers being accidently left on the bus. Of course, hacking à la Ashley Madison or the Panama Papers can also be an eligible data breach.
It is important that employers have policies and procedures to protect privacy and minimise the risks of breaching privacy.
It is imperative to ensure that employees are trained in security procedures and know the company policy on the storage and use of personal information, particularly where employees are working from home or remotely. If you have a formal policy or procedure for the storage of personal information it is worthwhile reminding your employees of what is required and where they can find it. Employees should be reminded of the consequences of breaching the policy (for example, disciplinary action). This also means it is imperative to keep a record of who, and when people receive training.
Employers should also ensure all employees know what to do or who to tell if personal information is disclosed or lost. It can be helpful to nominate a person or team as the point of contact. The sooner you become aware of a potential data breach the sooner steps can be taken to minimise the risk of significant harm, or notify the affected individuals and Commissioner. Employers should also consider all means of encouraging disclosure of breaches such that employees are not encouraged to cover up a breach.