Story: David Humphrey keeping personal information secure new privacy lawsTo make your systems less attractiveto cyber criminals consider these tips: • install a firewall and virus-checking on your computers, and download the latest patches or security updates • install anti-spyware tools Keeping customer and New data notification laws commenced choose secure passwords in February. Under the notifiable data • sta information secure is breaches (NDB) scheme businesses need • only allow your sta to access the even more important after to formally investigate suspected data information they need to do their job breaches of personal information. Data breaches • don’t let sta share passwords new laws came into eect that are likely to result in serious harm must be encrypt any personal information • on 22 February 2018. reported to the Office of the Australian Information held electronically that would cause Commissioner and to those individuals impacted. damage or distress if lost or stolen • collect and store personal information The Privacy Act – a duty to only if it is absolutely necessary protect andsecure information • develop management policies and If you have a turnover greater than $3 million, procedures for personal information the Privacy Act 1988 and Australian Privacy • destroy personal information when Principles (APP) regulate the way your business it is no longer needed. handles personal information. Depending on your risk you may also want These laws broadly require businesses to to prepare a data breach response plan secure any personal information they hold and and obtain cyber insurance coverage. take reasonable steps to protect this information from misuse, interference, loss and unauthorised access, modification or disclosure. The laws apply to small businesses only in relation Some common examples of personal to a data breach involving tax file numbers. information include an individual’s name, address, There may be penalties for non-compliance, phone number, date of birth, email address, including compensation for damages and monetary photograph or video recording of a person, bank fines. account details, tax file number, signature, and What is a notifiable data breach? commentary or opinion about an individual. Many HIA members will obtain and secure An eligible data breach will happen if: personal information from their clients, potential • there is unauthorised access, unauthorised customers, employees and contractors. disclosure, or loss of personal information held by an entity, and The new data notification laws • the access, disclosure or loss is likely to result The notifiable data breaches scheme adds to the in ‘serious harm’ to the individual to whom the existing privacy obligations. information relates. Under the new laws, as soon as practicable Online hacks, email ‘phishing’ and data after you become ‘aware that there are reasonable ransomware present common data breach risks. grounds to believe’ there has been an eligible data However other examples include: breach you must notify these parties: • lost or stolen electronic devices containing personal • the Information Commissioner information (such as a laptop, USB or mobile phone) • affected individuals (or publish a statement). • paper records stolen from insecure There are some exceptions, including taking recycling or garbage bins sufficient remedial action that the data breach is • accidentally providing personal not likely to result in serious harm. information to the wrong person David Humphrey: HIA Senior The new data notification laws will apply to • unauthorised access to payroll information Corporate Legal Counsel businesses with a turnover greater than $3 million. or personal information of employees. MAY 2018 HOUSING 35 IN FOCUS • LEGAL UPDATE