No matter which industry your business operates in, the likelihood is that you will need to consider how you protect the Personally Identifiable Information (PII) of your employees or customers.
Privacy laws around the world are undergoing changes to reflect the concern around protecting PII, including the Australian Privacy Act 1988 (Privacy Act), which is undergoing an amendment to introduce Notifiable Data Breaches (NDB). The Office of the Australian Information Commissioner (OAIC) defines a NDB as being either:
a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
a data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
This amendment will commence early 2018 and will apply to all Australian Government agencies and other organisations covered by the Privacy Act for any data breaches that occur on, or after the 22 February 2018.
Do I need to comply with the Privacy Act?
Generally speaking all private health service providers need to comply with the Privacy Act and any other business with an annual turnover of $3 million or more, which handles personal information.
How do I comply with the Privacy Act?
There are 13 Australian Privacy Principles (APP) that need to be addressed. These may not all be applicable as it depends on the situation of each entity. The principles cover the following:
- open and transparent management of personal information anonymity and pseudonymity;
- collection of solicited personal information;
- dealing with unsolicited personal information;
- notification of the collection of personal information;
- use or disclosure of personal information;
- direct marketing;
- cross-border disclosure of personal information;
- adoption, use or disclosure of government related identifiers;
- quality of personal information;
- security of personal information;
- access to personal information; and
- correction of personal information.
Further information regarding the 13 APPs can be obtained from the OAIC website
Additionally, some Australian states have specific privacy standards such as the recently introduced Victorian Protective Data Security Framework (VPDSF). The relevance of these and other standards varies dependent on the nature of who you are and who you do business with! If you are unsure contact nubesec to obtain some free advice.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a privacy related with the intent of giving citizens and residents of the European Union (EU) control over their own personal information. If your business conducts business with residents and citizens in the EU then you should be planning to implement the requirements of the GDPR now as it becomes enforceable on 25 May 2018. The effort involved should not be underestimated.
To discuss how nubesec can help with your privacy obligations contact us now.