Home | News & Events | Industry newsletters | May 2018 - Changes to privacy law

May 2018 – Changes to privacy law

The Notifiable Data Breaches (NDB) scheme came into effect on 22 February 2018 and applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act). The scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. The Australian Information Commissioner (the Commissioner) must also be notified of eligible data breaches.

What is a data breach?

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

What we are doing to protect your personal information

To further ensure that our processes and systems continue to protect your data and personal information, we have completed business reviews, held internal workshops and revised our internal privacy policies. We have also conducted refresher training for all Coal Services employees that covers the changes to privacy law and our obligations.

What can you do?

Diligence in the area of privacy is important. Compliance with the 13 Australian Privacy Principles (as outlined in the Privacy Act) will help safeguard against data breaches – here are some helpful reminders of some of the key principles:

APP 5 — Notify individuals of certain matters when collecting personal information e.g. information about the entity’s Privacy Policy and usual disclosures of personal information.

APP 6 — Use or disclosure of personal information

An entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies (as per the exceptions in the legislation e.g. consent). Care should be taken when dealing with third parties.

APP 11 — Security of personal information

An entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances. These obligations link closely to an entity’s cyber security and records management programs.

It is also important to remember that a higher standard of care and often different steps are required when dealing with sensitive personal information e.g. health information or membership of a trade union. Depending on your business, there may be other related obligations including those under the Health Records and Information Privacy Act 2002.

For more information about privacy matters visit the Commissioner’s website https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme