Big data is here to stay....
Believe it or not, we live in a Data Driven World. A BIG data driven world.
Just think about it – we have our digital footprints everywhere and they are easily traced to reveal more about ourselves than we care to realise.
Some examples – when we sign up to Uber, Menu Log, Facebook, Twitter, Internet banking, LinkedIn, Opal Cards etc we are providing: -
- all types of information that can identify us as individuals.
We can even be identified by our phones, our IP addresses, and our devices.
Companies can and do use that information to track our movements, our tastes in fashion, culture, likes and dislikes, our preferences and buying habits. How many times have you noticed being on a website where, if you click on an ad or a sponsored story, similar products mentioned on that "click bait" mysteriously appear when you revisit the site. Companies are geared and organised to capture data for many reasons, including sales and marketing purposes.
We are all connected, even Government....
Customers and consumers are now all entrenched in the internet, including the "internet of things" (when your fridge re-orders more groceries because you are running low, your car books itself into a service appointment because it needs it and, very soon, the car will drive itself there and back).
On top of this we have regulatory authorities trying to exercise some control over this mass of personal data collected in everyday modern living. The regulators are responding to very real concerns about the use of this data and how it should be restricted.
The result is a struggle between business (and government), consumers and individuals and regulatory authorities all seeking to adapt to a rapidly changing data environment.
If ever there was a "perfect storm" of conflicting interests, it is here now.
What are the implications....
If we quickly review where we are today, the Privacy regime is largely driven by developments in the EU, UK and the US. We have not yet reached the stage of a Global Regulator but many countries have introduced laws based on the automatic processing of personal data that have been developing in Europe since the late 1970's – early 1980's.
Today, in Europe, there has been developed what is known as the EU General Data Protection Regulation ("GDPR") which contains new data protection requirements that will apply from May 2108. The GDPR will apply to businesses operating in the EU and will catch Australian business having an office in the EU, a website where EU customers can order goods and services or enables payment in euros or a business that tracks individuals in the EU on the internet to analyse and predict personal preferences, behaviours and attitudes.
The Australian Privacy Act 1998 and the GDPR already share many common requirements but there is much more to be done.
Where is all this headed....
It is apparent that Privacy is a major issue for business especially in the data driven world of "fake news", "hacking", data breaches and the question of trust as between individuals and government and individuals and business. If we look at existing privacy requirements we find a regulatory regime that requires transparency from a business to disclose (amongst other things): -
1. Where a company holds personal information or data
2. Whether that information or data is shared with others and the circumstances in which it is shared
3. Who can access it and how access is provided
4. Whether the consent of the individual is required or not
5. How a company protects the information or data it has collected
6. How long can a company keep that information or data
7. The use it may make of that information or data including profiling
To that list can now be added the mandatory requirement to notify the Regulator of any data breaches.
What about the Regulators....
The real message is that the Regulators, both overseas and in Australia, are now heading down the path of enforcement by fining and public shaming. No one wants to deal with organisations that cannot be trusted and it is well past the time where Privacy obligations can be treated off-handedly by any organisation.
Mandatory Data Breach Notification in brief....
The next major shift for Privacy will be mandatory data breach notification – in Australia, this law imposes significant penalties on those organisations that are subject to the Privacy Act that commit serious or repeated failures to comply with notification requirements.
The Privacy Amendment (Notifiable Data Breaches) Act 2016 ("the Act") will commence on 22 February 2018. The Act deals with data breaches and there are penalties of up to $1.8m for serious or repeated failures to comply with notification requirements. The Act applies to any organisation that is subject to the Privacy Act 1998 (i.e. one example is any organisation with a turnover of more than $3,000,000.00 per annum)
Tell Me More....
A new concept of "eligible data breach" is introduced in the Act. An eligible data breach happens when there is an unauthorised access to or disclosure of information or information is lost in circumstances where unauthorised access to or disclosure of that information is likely to occur or if it did occur AND a reasonable person would conclude that the access, disclosure or loss would likely result in serious harm to any of the individuals to whom the information relates.
Serious harm includes physical, psychological, emotional, economic, financial or reputational harm that a reasonable person in the entity's position would identity as a possible outcome of the data breach.
A person can be upset or distressed but the question is whether a reasonable person would consider that the likely consequence for those persons would constitute a form of serious harm. A reasonable person introduces an objective test.
Mandatory Notifications to the Australian Information Commissioner ....
Mandatory notification to the AIC and affected individuals is required as soon as practicable when there are reasonable grounds to believe there has been an eligible data breach. The GDPR by contrast gives organisations 72 hours to notify the Regulator of any data breach
What can we do now....?
Organisations should consider a Data Breach Response Plan to;-
(a) Inform the AIC within 30 days of the breach and
(b) to provide contact details and
(c) provide a description of the serious data breach and
(d) the kinds of information concerned and provide
(e) recommendations about the steps that individuals affected should take in
response to the serious data breach
Organisations could also consider cyber insurance, a relatively new product which is available now for consideration and which can be discussed with your Insurance Broker.
The OAIC has provided information regarding responding to a data breach (see https://www.oaic.gov.au/agencies-and organisations/guides/data-breach-notification-a-guide-to-handling-personal-information-security-breaches ) and a guide to developing a data breach response plan (see https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-developing-a-data-breach-response-plan )
A proper compliance programme, a culture of accountability and transparency and a self-reporting environment is only the first step. If organisations do not take Privacy seriously then they will be left behind by their competitors. Data breaches will occur, how will you react is the real question.
This is the first in a series of Articles by Ledlin Lawyers designed to provide insights and advance warning of issues that will affect Credit Professionals with their day to day workplace challenges.
In our next Article, Privacy Toolkit, we point out some "how-to's" in dealing with Privacy issues and legal requirements with real case study examples.
FOR MORE INFORMATION...
Contact Terry Ledlin, Special Counsel
Phone: 02 8488 3389