Thursday, October 05, 2017
This Has Implications For All Who Hold Sensitive Personal Information. GPs And Specialists Take Note.
This appeared last week:
The Office of the Australian Information and Privacy Commissioner has published draft resources for the Notifiable Data Breaches scheme, asking for public comment.
The Office of the Australian Information and Privacy Commissioner (OAIC) is seeking public comment on draft resources it has published relating to Australia's impending data breach notification laws.
The draft resources include guidelines on how to prepare an eligible data breach statement for when the scheme takes effect on February 22, 2017 (Actually 2018), how to assess a suspected breach, what quantifies reporting, how to notify the OAIC of an incident, and exceptions under the legislated obligations.
The new laws mandated under the Privacy Amendment (Notifiable Data Breaches) Act require organisations covered by the Australian Privacy Act 1988 to notify any individuals likely to be at risk of serious harm by a data breach.
This notice must include recommendations about the steps that individuals should take in response to the data breach, the OAIC explains in its draft material. Australian Information Commissioner Timothy Pilgrim must also be notified.
"Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm," the OAIC said.
A data breach worthy of reporting is defined by the OAIC as one that is likely to result in serious harm to any of the individuals to whom the information relates, noting also that a data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
Examples offered by the commissioner include a device containing customers' personal information that is lost or stolen, a database containing personal information that is "hacked", or where personal information is mistakenly provided to the wrong person.
As part of its reference material package, the OAIC prepared a guide to securing personal information, which also urges organisations to prepare or update their data breach response plan to ensure that they are able to respond quickly to suspected data breaches.
As not all data breaches are notifiable -- the scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates -- the OAIC explains that exceptions to the scheme will apply for some data breaches, meaning that notification to individuals or to the commissioner may not be required. The OAIC has asked for comment on its draft exceptions information.
There are lots more details here:
Relevant organisations should note the draft guidelines and make sure that when they are finalised steps are taken to ensure compliance. February 2018 is not all that far away!
Posted by Dr David G More MB PhD at Thursday, October 05, 2017