Privacy + Data Breach Obligations

Securely handle your customer's personal data

Canny Insight has recognised that one of the main areas of concern for our clients is in ensuring they are handling their own customer’s personal information and data securely, particularly in light of recent high-profile data leaks and hacks.

This is an important but often overlooked area by most business owners because they simply do not know where to begin!

If you sign up to one of our 12-month Packages, we conduct a Legal Audit Report on your business and identify areas such as privacy and data protection obligations, and how we can assist you. This is particularly important for any businesses holding sensitive medical or health information, such as NDIS service providers.

Canny Insight can provide you with recommendations and guidance to help your business navigate the very complex requirements on handling, using and storing any of your customer’s personal or sensitive information in line with the Privacy Act 1988 (Cth).

We can also provide advice on the Notifiable Data Breaches (NDB) scheme and when and how this applies to your business, and guidance on preparing a policy for complying with the NDB Scheme.

For more information on privacy and data protection, and the other ways Canny Insight can help your business, take a look at our Blog.

Privacy + Data Breach Obligation FAQs

In Australia, data breach obligations are governed by our Commonwealth Privacy Act 1988.

Data breach obligations predominantly refer to the requirement that businesses report any unauthorised access or disclose of personal or sensitive information both to the individuals impacted, and also to the overseeing body, the Office of the Australian Information Commissioner (OAIC).

Certain businesses are required to report under the Notifiable Data Breaches Scheme (NDBS) both to individuals potentially impacted, and to the Office of the Australian Information Commissioner (OAIC), about any “eligible” data breaches.

This means that an entity that falls within the NDBS has to first conduct a proper assessment of whether an eligible data breach occurs, and then they must notify individuals if they believe the individual’s personal information is involved in a data breach that is likely to result in serious harm.

The Privacy Act regulates how your personal information is handled.

Under the Privacy Act you have the right to know why your personal information is being collected, how it will be used and who it will be disclosed to, and you have the right to seek access to your personal information, or have it corrected if it is incorrect.

If the company falls under the Notifiable Data Breaches Scheme (NDBS) they have very strict reporting obligations.

The Privacy Act applies to all organisations, unless they’re a small business operator, a registered political party, a state or territory authority or a prescribed instrumentality of a state.

While small businesses with an annual turnover of $3 million or less are generally exempt, they won’t be if they are a privacy sector health service provider, a business that sells or purchases personal information, a credit reporting body, an Australian Government contractor, or some other specific organisations as outlined in the Privacy Act.

Businesses are also able to opt into the Privacy Act, which means they are obliged to be compliant with its requirements, even if they would otherwise be an exempt small business.

Personal information is information about an identified individual, or an individual who is reasonably identifiable.

Some examples of personal information are a person’s name, mailing address, email address, phone number, credit information, photographs, IP addresses, location information, employee records, and can also include sensitive information (information or opinion about a person’s race, ethnic origin, political views, religious or philosophical beliefs, criminal records, health or genetic information, sexual orientation, or trade union membership or associations).

From this list, it is clear to see that most businesses would hold personal information about clients, customers or suppliers.

If the company falls under the Notifiable Data Breaches Scheme (NDBS) they have very strict reporting obligations.

The Privacy Act applies to all organisations, unless they’re a small business operator, a registered political party, a state or territory authority or a prescribed instrumentality of a state.

While small businesses with an annual turnover of $3 million or less are generally exempt, they won’t be if they are a privacy sector health service provider, a business that sells or purchases personal information, a credit reporting body, an Australian Government contractor, or some other specific organisations as outlined in the Privacy Act.

Businesses are also able to opt into the Privacy Act, which means they are obliged to be compliant with its requirements, even if they would otherwise be an exempt small business.

Latest Blog Posts

Compliance in the context of running a business, means ensuring that your business has appropriate and adequate policies....
Intellectual Property or "IP" refers to your exclusive right to your creations of the mind - in other words, your ideas and innovations....
The Fair Work Act 2009 (Cth) sets out the minimum standards that employers must provide to their employees...
Welcome to our Insight Close-Up series, where we delve into the most common commercial + business law services we offer our Canny business clients...

To find out how you can gain this service through one of our Packages