This year has proved to be a busy year for those interested in information security.

The recent Facebook and Cambridge Analytica situation has reminded everyone that regulation alone does not provide information security.  Nothing illegal occurred when Facebook users agreed to permit Cambridge Analytica access to their personal data.  Consent was given and then acted upon.

In this environment, sometimes individuals must take responsibility for how they share their own personal information and exercise common sense.  Regulation did not stop it or protect the users.  History shows many will look for ways to circumvent a law when the objectives suit.  However, just because something is not illegal doesn’t make it right.

The propensity to go around regulation does not stop the onward march of the regulator and the making of new laws dealing with personal information.  It only encourages them.

New notification regime

Earlier this year the Australian government introduced the Notifiable Data Breaches laws.

Entities regulated by the Privacy Act must comply with the notification obligations if a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

The Office of the Australian Information Commissioner provides helpful guidance to entities to comply with the new scheme; operating since 22 February 2018.  Full details may be found here.

Briefly, the actions required if a breach is suspected or known include:

  • Containing the breach
  • Assessing whether it will result in serious harm
  • Determining whether remedial action is possible, and if so to take that action.

If remedial action is not possible the then OAIC must be notified and the entity must either:

  • Notify all individuals, or
  • Notify only those individuals at risk.

If personal notification is not possible, then the entity must publish a statement on their website and publicise it.

EU General Data Protection Regulation

From 25 May 2018 new data protection regulations apply to all businesses offering goods or services in the European Union.

While the European regime has many similarities with that applying in Australia, there are some notable differences including the ‘right to be forgotten’.

The GDPR applies to all size businesses, unlike Australia.

If you are doing business in or with entities based in Europe, you need to consider whether you must comply with the GDPR.

Next steps

If you require any further information regarding your entity’s obligations to keep personal information confidential and what to do if a breach occurs please contact Hadyn Oriti on 02 6583 0449.

Looking for further advice?

Contact Us