Any Australian organisation that handles personal information could be captured under the notifiable data breaches scheme which requires organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This scheme usually applies to larger businesses, but could capture sole traders, individuals, trusts and partnerships under certain circumstances.
If you run a business it is inevitable that you will be collecting data from customers. The handling of personal information comes with great responsibility.
Data breaches include unauthorised access, unauthorised disclosure and loss of personal information. While serious harm is not defined, it is taken to include physical, psychological, emotional, financial or reputational harm. The notification to the individual must also include recommendations about the steps individuals should take in response to the breach.
Sole traders, individuals, body corporates, partnerships, unincorporated associations, or trusts that have not had an annual turnover of more than $3m in any financial year since 2001 are exempt from the reporting requirements (the small business operator exception). Even then you may not be exempt from reporting requirements if your business falls into certain categories including health care provider, related parties to entities that do have an obligation to protect personal data, being in the business of trading personal information for a benefit or service, credit reporting bodies, employee associations registered under the Fair Work Act, and those that opt in to the scheme.
Small business operators must also comply with the NDB scheme in relation to personal information held by the entity in relation to certain activities including providing contractual services to the Commonwealth, operating a residential tenancy database, reporting in relation to money laundering and counter terrorism, conducting a protected action ballot and information retained under legislated mandatory data retention schemes.
If you are indeed captured under the scheme, and there is a data breach, you and your business will need to undertake a swift assessment of the situation. Where a breach is identified as likely to cause serious harm, you need to notify the individuals involved as well as the Office of the Australian Information Commissioner as soon as practicable.
The Office of the Australian Information Commissioner provides various resources in relation to securing personal information and data breach preparation. It’s not only good practice to ensure that customer data is secure, it’s good business.