Starting today, many Australian businesses are subject to a new Notifiable Data Breaches Scheme – and if you trade in the business of personal information, it is more than likely that these changes impact you.
The new rules state that customers must be informed when a data breach occurs if the breach is likely to result in “serious harm” for the impacted party.
So who is affected by this new legislation?
Any Australian business with an annual turnover of $3 million or more must disclose data breaches that have exposed personal information. But importantly, small businesses who operate a residential tenancy database are also required to comply with the legislation – in fact, these businesses are required to comply with all of the Australian Privacy Principles (APPs) contained within the Privacy Act 1988.
This means the new legislation more than likely affect your responsibilities at work – and it is time to familiarise yourself with the changes!
How do data breaches occur?
Data can be inadvertently shared by staff, or it can be intentionally stolen by criminals with a malicious intent. It might be that a laptop or thumb drive is stolen, a client file is accidentally dropped in the street, personal information is mistakenly sent to the wrong email address, or your entire server is hacked – whatever the source of the breach, if the data is exposed, the breach needs to be declared.
What is ‘serious harm’?
A data breach must be disclosed to an impacted party, should you assess that the breach may cause that party ‘serious harm’. Although not defined in the Privacy Act, serious harm may include serious physical, psychological, emotional, financial or reputational harm. This is a difficult assessment to make – it may pay to keep in mind that the more sensitive the information, the more likely an instance of serious harm becomes: think health records, documents commonly used in identity fraud and financial information.
Are real estate agencies covered by the Australian Privacy Principles?
More than likely, yes: particularly if you operate a rent roll. And if your agency turns over more than $3 million annually, most definitely. For more details on the link to property management, check out this page: https://www.oaic.gov.au/individuals/faqs-for-individuals/tenancy/ and remember that your licensee should be able to provide advice on your obligations under the Privacy Act. If you happen to be that licensee, and feel you lacking some details on whether all of this is relevant to you… it might be time to brush up your knowledge!
Can WCPT teach me and my team more about data breaches and the Privacy Act?
Of course we can! Consider a Privacy Act update for your entire team – just one of the bespoke sessions we can deliver in office for you. Or, come along to Real Estate Mastery, our 7 point CPD session that unpacks the specific risks associated with cyber crime. Contact our office on 08 9300 0000 or firstname.lastname@example.org for more details on your training options.
Where can I get more information?
– Read more about the Notifiable Data Breaches Scheme here: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/entities-covered-by-the-ndb-scheme
– Follow this checklist to determine whether the new legislation impacts your business here: https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-10
– Book yourself into Real Estate Mastery, WCPT’s elective CPD session that features an in-depth session on the risk of cybercrime as a source of data breaches here: https://wcpt.com.au/cpd/elective-cpd/
– Contact the WCPT to discuss bespoke training for your team: 08 9300 0000 or email@example.com