View more from News & Articles or Primerus Weekly

By: Andrew Nicholson, Esq.
Mullins Lawyers
Brisbane, Australia

Recent examples have shown that privacy compliance is not just about having a privacy policy in place – the Privacy Commissioner requires organisations to have plans and procedures in place which support those policies.

Privacy and data security are again in the headlines following a massive data breach of the personal information of up to four million current and former US Government employees earlier this month. The breach affected a number of (and potentially every) US Government Agencies. While the FBI continues to investigate, it is understood that the breach was perpetrated by sophisticated hackers in China who were able to circumvent the security measures which were in place.

The fallout from the breach has caused obvious embarrassment, concern and reputational loss. It is also likely to prove extremely costly with the Government proposing to offer all affected employees 18 months insurance cover for identity theft and credit monitoring – in an attempt to address any potential claims, should those events occur.

Many businesses may think that type of risk is not relevant to them. However, even if that is correct, there are a number of lessons which we can learn from that example in Australia.

Most businesses will be familiar with the privacy reforms which took effect in March 2014. The Privacy Act now requires that organisations take reasonable steps to protect any personal information which they hold from unauthorised access, misuse, interference and loss.

Under a recently published guideline  Data breach notification —  A guide to handling personal information security breaches the Privacy Commissioner has confirmed that all organisations should develop a data breach response plan as part of their privacy compliance.

Those plans should consider how to respond to a breach and what steps might be taken to minimise the impact on affected individuals.

In an example which is closer to home, in March 2015

Optus entered into an enforceable undertaking with the Privacy Commissioner following three “incidents” which occurred in 2014. One of those incidents involved customers’ names, addresses and telephone numbers being listed, without consent, in the White Pages directory. The incident was caused by computer error (within Optus).

Whilst the Privacy Commissioner was concerned that Optus may not have taken sufficient steps to secure the personal information which it held, when the breach became apparent Optus gave voluntary notification of the breach, took steps to contain it and worked with the Privacy Commissioner during their subsequent investigation.

There are several clear messages to take from that:

  • It is not sufficient for organisations to merely have a privacy policy in place.
  • Organisations should take steps to educate staff about privacy compliance and should develop a data breach response plan as part of their privacy compliance processes.
  • Organisations should take steps to educate staff about privacy compliance and should develop a data breach response plan as part of their privacy compliance processes.
  • Organisations should be proactive where a breach occurs including acting swiftly to take steps to minimise the impact on individuals and notifying those individuals and the Privacy Commissioner, where appropriate.
  • The Privacy Commissioner has shown an apparent intention to work with (rather than merely penalise or fine) organisations in appropriate circumstances. However, the efforts made by Optus following the breach should be noted.

A further guideline which was published by the Privacy Commissioner last month to assist organisations in assessing their personal security requirements can be accessed at  Guide to securing personal information - OAIC.

For more information about Mullins Lawyers, please visit the International Society of Primerus Law Firms.