This year has proved to be a busy year for those inter­est­ed in infor­ma­tion secu­ri­ty.

The recent Face­book and Cam­bridge Ana­lyt­i­ca sit­u­a­tion has remind­ed every­one that reg­u­la­tion alone does not pro­vide infor­ma­tion secu­ri­ty.  Noth­ing ille­gal occurred when Face­book users agreed to per­mit Cam­bridge Ana­lyt­i­ca access to their per­son­al data.  Con­sent was giv­en and then act­ed upon.

In this envi­ron­ment, some­times indi­vid­u­als must take respon­si­bil­i­ty for how they share their own per­son­al infor­ma­tion and exer­cise com­mon sense.  Reg­u­la­tion did not stop it or pro­tect the users.  His­to­ry shows many will look for ways to cir­cum­vent a law when the objec­tives suit.  How­ev­er, just because some­thing is not ille­gal doesn’t make it right.

The propen­si­ty to go around reg­u­la­tion does not stop the onward march of the reg­u­la­tor and the mak­ing of new laws deal­ing with per­son­al infor­ma­tion.  It only encour­ages them.

New noti­fi­ca­tion regime

Ear­li­er this year the Aus­tralian gov­ern­ment intro­duced the Noti­fi­able Data Breach­es laws.

Enti­ties reg­u­lat­ed by the Pri­va­cy Act must com­ply with the noti­fi­ca­tion oblig­a­tions if a data breach is like­ly to result in seri­ous harm to any indi­vid­u­als whose per­son­al infor­ma­tion is involved in the breach.

The Office of the Aus­tralian Infor­ma­tion Com­mis­sion­er pro­vides help­ful guid­ance to enti­ties to com­ply with the new scheme; oper­at­ing since 22 Feb­ru­ary 2018.  Full details may be found here.

Briefly, the actions required if a breach is sus­pect­ed or known include:

  • Con­tain­ing the breach
  • Assess­ing whether it will result in seri­ous harm
  • Deter­min­ing whether reme­di­al action is pos­si­ble, and if so to take that action.

If reme­di­al action is not pos­si­ble the then OAIC must be noti­fied and the enti­ty must either:

  • Noti­fy all indi­vid­u­als, or
  • Noti­fy only those indi­vid­u­als at risk.

If per­son­al noti­fi­ca­tion is not pos­si­ble, then the enti­ty must pub­lish a state­ment on their web­site and pub­li­cise it.

EU Gen­er­al Data Pro­tec­tion Reg­u­la­tion

From 25 May 2018 new data pro­tec­tion reg­u­la­tions apply to all busi­ness­es offer­ing goods or ser­vices in the Euro­pean Union.

While the Euro­pean regime has many sim­i­lar­i­ties with that apply­ing in Aus­tralia, there are some notable dif­fer­ences includ­ing the ‘right to be for­got­ten’.

The GDPR applies to all size busi­ness­es, unlike Aus­tralia.

If you are doing busi­ness in or with enti­ties based in Europe, you need to con­sid­er whether you must com­ply with the GDPR.

Next steps

If you require any fur­ther infor­ma­tion regard­ing your entity’s oblig­a­tions to keep per­son­al infor­ma­tion con­fi­den­tial and what to do if a breach occurs please con­tact Hadyn Ori­ti on 02 6583 0449.

Looking for further advice?

Con­tact Us