Under the Notifiable Data Breaches (NDB) scheme, any organisation covered by the Privacy Act 1988 must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when such a data breach occurs.
Notifiable data breaches (as defined by the OAIC) occur when:
- there is unauthorised access to, unauthorised disclosure, or loss of, an individual’s personal information,
- this action is likely to result in serious harm to one or more individuals, and
- the organisation originally holding the information hasn’t been able to prevent the likely risk of serious harm with remedial action
Unauthorised access or disclosure includes when:
- a device with a customer’s personal information is lost or stolen
- a database with personal information is hacked
- personal information is mistakenly given to the wrong person
The scheme started in February 2018 and there were 964 notifications to the OAIC in the 12 month period between 1 Apr 2018 – 31 Mar 2019. 60% of those breaches were attributed to malicious or criminal acts and 40% of them were cyber incidents!
But I’m not covered by the Privacy Act 1988, am I?
At first glance you might be thinking the NDB doesn’t apply to you. After all you’re a sole trader, and only organisations covered by the Privacy Act need to follow the scheme. Surely the Privacy Act 1988 only applies to big companies?
Well actually, the Act covers sole traders and some small business operators (defined as organisations with an annual turnover of less then $3 million). There’s a full list of what types of small businesses are covered on the OAIC website.
So if you’re a sole trader or if you fall into any of those small business categories, then you need to be aware of the NDB.
Well I don’t collect any personal information so I’m good
Sorry, that’s not quite right. Personal information includes names, addresses, contact details and credit card information.
So if you’re taking and storing people’s credit card details when they buy something, whether that’s online or in person, then you’re collecting personal information.
Or if you’re shipping a physical product to them, then you’ve had to collect their address which also counts as personal information.
And if you’re asking people for their names and contact details when they sign-up to a newsletter then you’re collecting personal information.
Given 86% of breaches involved contact information being wrongly disclosed, this is definitely an area that sole traders need to be aware of.
Yes, but I’m really tiny, I’ve only got a few customers. Surely I don’t need to worry?
83% of notified breaches affected fewer than 1,000 people!
Ok, you’ve convinced me – what do I need to do next?
Prepare and prevent
- Use strong passwords and passphrases, and preferably a password manager.
- Use 2 factor authentication
- Keep operating systems, browsers and plugins up-to-date with patches and fixes
- Enable anti-virus protections to help guard against malware
- Be wary of clicking on links that require you to re-set a password, even if the message appears to come from someone you trust. Always go directly to the website and re-set your account details there.
Do you think a notifiable breach has occurred? If so you need to notify any individual at risk of serious harm as well as the OAIC. There’s more information and a form at the OAIC website.
Got more questions? Get in touch to find out how I can help you with your G Suite and Google related issues and drive better business outcomes.