AUTHOR: Rick Stone
An online checklist can help you determine whether your agency or organisation is an APP entity and is required to protect personal information.
From tomorrow, any APP entity must report any data breach that compromises personal data. If a personal information breach occurs, an agency or organisation must notify the Australian Information Commissioner and affected individuals once it has reasonable grounds to believe there is an eligible data breach.
A breach is considered to have occurred if either of the following conditions are met:
- unauthorised access to or disclosure of information
- information is lost where unauthorised access to or disclosure of information is possible
A breach must also be likely to be serious harm to the individuals to which the information relates. Serious harm must be more than (understandable) distress or upset according to the guidance notes.
This means that all APP entities need four things:
- A prevention strategy to stop hackers or other adversaries from gaining access to data including personal information. This includes security systems to prevent inadvertent loss (like leaving a computer on the train)
- A monitoring systems to detect a potential breach before it becomes an actual breach
- A response plan for potential or actual breaches (there is an exemption for notification if the breach is remediated such that no serious harm is likely)
- A notification plan to manage any notifiable breach, which includes a way of notifying the Commissioner and the affected individuals within a reasonable timeframe. This could include: direct contact; placing a notice on the entity’s website; and advertising in social or traditional media
This plan may also need to include elements of crisis communication as the entity’s reputation will be under serious threat.
For more information you can read the Office of the Australian Information Commissioner’s Notifiable Data Breach scheme resource page or contact us at Tigertail.