Taking all reasonable steps
The Privacy Act already requires organisations to take all reasonable steps to protect personal information.
The new data breach laws merely add an additional layer to assess breaches and notify where the breach poses a threat. For example, if you have not already, you should assess issues such as:
- How personal information flows into and out of your business. For example, what information do you gather (including IP data from websites), what information do you provide (for example, do you provide information on your clients to third parties?) and where private information is stored – map out what systems you use, where these systems store data (if cloud-based, your data may be held in a foreign country), what level of security is provided within those systems, and what level of access each team member has (and what they should have access to for their role)
- How private information is handled by your business across its lifecycle and who has access at each stage (not just who is accessing the information for their work but who ‘could’ access this information)
- Possible impacts on an individuals’ privacy (risk assessment)
- The policies and procedures in place to manage private information, including risk management and mitigation, whether these are adhered to, and actively managed
- The policy review process – review policies and procedures at least annually but again with the introduction of new systems and technology. Remember, you can’t just have a policy sitting somewhere, it needs to be actively reinforced and adopted by team members
- Instate new project protocols for ensuring privacy where personal information is at risk
- Document everything including your reviews and procedural updates even if nothing changed. If there is ever an issue where your business’s culpability is assessed, your capacity to prove that you took all reasonable steps will be important.
When it comes to data breaches, all organisations must have a data breach response plan. The data breach plan covers these key areas:
- Actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the response team
- Members of your data breach response team (response team), and
- Actions the response team is expected to take.