How Australia’s new data breaches scheme will impact crisis comms

The virtual data revolution Australia is about to embark on with the implementation of the Mandatory Notifiable Data Breaches (NDB) scheme is a marketer’s dream.

There has been a lot written about the NDB, an amendment to the Privacy Act where thousands of Australian companies will be required to alert individuals and the government if they believe their IT systems have been compromised and private data has been accessed.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into effect February 22. Under the legislation, all companies with an annual turnover in excess of $3 million will need to report any breaches of systems where the personal information of clients is involved.

This includes:

• Australian government agencies
• Business and NFPs with turnover of more than $3 million annually
• All private sector health service providers
• Businesses which trade personal information
• Businesses which gather TFNs (if turnover exceeds $3 million)
• Businesses which hold personal information.

If a company identifies a breach, they are required to notify any individuals who may be at risk of serious harm caused by a data breach through unauthorised access or disclosure. This includes being vulnerable to identity theft.

The good

Going by what has already been written about this subject, you could be forgiven for thinking this new legislation is all doom and gloom. Whereas, in fact, there is plenty of good news about the legislation. This includes the fact it is:

• Short
• Easy to understand
• Has clear requirements
• Notifications are as simple as filling in a web form

The legislation also distinguishes between notifiable and non-notifiable breaches, meaning that if an organisation can show that it has taken appropriate steps to mitigate the breach, then notification is not required.

The legislation marks the end of a period of uncertainty for Australian businesses, with these changes having been proposed (and failing to pass) twice before.

While all of these are absolutely laudable, what is most noteworthy about this legislation is that it provides Australians with greater certainty about the security of their data.

And in so doing, also provides an important marketing tool which can be used to encourage greater engagement with clients and a clear understanding that Australian businesses and the government is aware of the issues of cyber security and are working to keep data secure in a co-ordinated way.

No-one is claiming this is a complete fix for what is a rapidly escalating issue in an increasingly technologically-dependent society. But it is an important start.

The legislation also forces companies to look at their own cyber security and take the required steps to ensure they are compliant.

In what is believed to be the largest data breach in Australia, the Australian Red Cross in 2016 admitted the personal data of some 550,000 blood donors had been compromised – including some highly sensitive information such as “at risk sexual behaviour” from their website.

The organisation said the records containing information on donors between 2010 and 2016 was accessed by an unauthorised person after a file containing the information was saved on a publicly accessible area of a webserver managed by a third party provider.

“Data breaches can still happen in the best organisations,” the Australian Information and Privacy Commissioner Timothy Pilgrim said on his investigation into the Red Cross data breach.

“And I think Australians can be assured by how the Red Cross Blood Service responded to this event. They have been honest with the public, upfront with my office, and have taken full responsibility at every step of this process.

“This incident is an important reminder that you cannot outsource privacy obligations. All organisations must put in place reasonable measures to ensure their third party providers’ compliance with appropriate privacy and data security practices and procedures.”

The Australian Information and Privacy Commissioner said the efficiency with which the Red Cross notified individuals and the government of the breach was a good example of how to manage a breach well.

The bad and the ugly

The legislation is an excellent first step in the development of co-ordinated policy across all Australian governments. However, a disconnect between state and federal legislation still exists, which is cause for concern and confusion for some businesses.

Other factors we would line up in the “bad” column include the ongoing lack of understanding about what constitutes personal information.

The legislation also does not clearly articulate a definition of what it considers to be “serious harm” to an individual as a consequence of a data breach.

What you need to do

Australian businesses which have not been proactive in ensuring their client’s personal data is secure have been given a long overdue push to audit their systems with the introduction of the Mandatory Data Breach Notification scheme.

There are three steps anyone within the marketing, advertising and communications world need to take to be ready for the implementation of the legislation.

1. Understand where, why and how personal information is collected by the company
2. Know where and how personal information is stored and managed
3. Develop a plan to respond to privacy breaches.

The introduction of the NDB should be a source of comfort for Australians who are more and more aware of how vulnerable they can be to data breaches.

This policy shows Australia is thinking proactively about the problem and this can only be a good thing for business.

GWI consulting director and chief information officer Dr Vanessa Douglas-Savage is an information management and information architecture specialist who leads the Information Practice at GWI.

topics crisis communications data breaches GWI Marketing Vanessa Douglas-Savage

Share Tweet Share

Comments: 1

Anonymous 7 Feb 18

This is quite an overstatement: “In our increasingly complex technological world, a data breach is as as common as breathing.”

User ID not verified.

---