Keeping your customers' personal information safe from unauthorised use, loss or disclosure (known as a data breach incident) is vitally important.
Not only can a data breach incident negatively impact your business' reputation, but there may be legal consequences, too. There are new laws around the reporting of data breach incidents to customers and to the government regulator (the Office of the Australian Information Commissioner) that have the potential to impact small businesses.
What is personal information?
The information you collect about your customers may include their names, addresses, phone numbers, bank details and credit card numbers. These are all types of personal information.
Business owners are responsible for protecting their customers’ personal information, and for securely destroying or de-identifying it when it’s no longer needed.
Why is this important?
If your business experiences a data breach incident and you’re an Australian Privacy Principles Entity (APP Entity), you may be legally required to report it to your customers and the government regulator under the Notifiable Data Breaches (NDB) scheme. APP Entities are defined in the Privacy Act 1988 (Cth) and include:
- Australian Government agencies
- businesses and not-for-profit organisations that have an annual turnover of more than $3m
- private sector health service providers
- credit reporting bodies
- credit providers
- entities that trade in personal information
- and tax file number (TFN) recipients
A data breach incident can occur in a number of ways, including:
- Leaving a customer's personal information on the bus
- Leaving a customer's personal information in a car, which is then stolen
- Throwing out a hard drive without securely destroying it
- Not patching IT system vulnerabilities in a timely manner, leaving your system open to malicious hacking
- Throwing out paper records which contain a customers' personal information without properly destroying the records
How can I keep my customers' personal information secure?
There are steps that you can take to decrease the risk of a data breach incident happening at your business.
- Ensuring you familiarise yourself with the legal obligations of the Notifiable Data Breach scheme
- Conducting a risk assessment to make sure that your employees only have access to your customers' personal information if it’s required for them to do their job, and ensuring that such access is regularly reviewed to ensure it’s still valid
- Ensuring any personal information is securely stored and destroyed correctly when it is no longer needed
- Using appropriate password controls, and updating passwords regularly
- Making sure that your staff and business partners are aware of the business’ privacy obligations - privacy is everyone’s responsibility
You can find out more information on the Notifiable Data Breach scheme at the OAIC website