Privacy Law Changes
One of the Australian Privacy Principles applying as law requires personal information to be kept secure, protecting it from loss, misuse, interference and unauthorised access, modification or destruction. From 22 February 2018, it will be mandatory to report significant privacy breaches.
When the changes to the Privacy Act become law, businesses and other organisations will be required to notify individuals and the Privacy Commissioner of a data breach of personal information if the breach is likely to result in serious harm to the individuals.
A breach of this nature, categorised as an ‘eligible’ or ‘notifiable’ breach, can involve the release or destruction of, or unauthorised access to, personal information in circumstances in which the affected individuals are likely to experience physical, reputational, financial, emotional or other serious harm. This can arise in relation to one or a number of individuals, depending on the nature of the breach and its seriousness. In assessing the impact on the individual, the ‘reasonable person’ test is used – whether a reasonable person would assess the impact as significant.
A data breach could include lost or stolen computers or mobile devices, disposal, loss or theft of hard-drives or similar memory devices, hacked computer systems, hard-copy records lost or thrown out, sending personal information to the wrong person, customer details exposed online, staff taking records about individuals to another business, leased computers returned with personal information still on them, etc.
The data breach regime sets out what and when actions are to be taken, including informing both the OAIC and the affected individuals. The website of the Office of the Australian Information Commissioner contains more guidance – www.oaic.gov.au.
Implications for Brokers
The general rule is the data breach requirements apply to all businesses unless their annual turnover, or the corporate group to which they belong, is no more than $3M. However, if a business, regardless of turnover, collects or holds tax file numbers, lawfully or otherwise, the breach requirements will apply. This could potentially result in brokers being directly implicated where, for instance, they are hold client tax returns.
Indirectly, brokers are often contractually required to hold personal information, such as customer identity documents, on behalf of financiers. The data breach requirements may now result in financiers considering the imposition of additional safe-guards about data security and require reporting to them if data held on their behalf is accessed, released or destroyed when it should not be. Members may also wish to refer to the July 2017 of EF Insider, which included a discussion about identification document retention on behalf of financiers under anti-money laundering laws.
Members should assess all possible data breach scenarios within the business, review the adequacy of security measures and develop policies and procedures for identifying any data breach and managing the reporting obligations.
This provides a high-level explanation of how the ASIC LI law may impact members’ businesses. It is not a comprehensive analysis. Members should seek legal advice for their specific situation.
Director / Solicitor, CreditWise