If you run a business it is inevitable that you will be collecting data from customers, whether it be names, birthdays, credit card details and other personal information, to enable you to run and grow your business. It is perhaps no great surprise that the handling of personal information also comes with great responsibility.
In Australia, any organisation that handles personal information could be captured under the notifiable data breaches (NDB) scheme. The scheme requires organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.
Data breaches include unauthorised access, unauthorised disclosure, loss of personal information (whether accidental or inadvertent). While serious harm is not defined, it is taken to include physical, psychological, emotional, financial or reputational harm. The notification to the individual must also include recommendations about the steps individuals should take in response to the breach.
Sole traders, individuals, body corporates, partnerships, unincorporated associations, or trusts that have not had an annual turnover of more than $3m in any financial year since 2001 are exempt from the reporting requirements (the small business operator exception). However, even if you are considered to be a small business operator, you may not be exempt from reporting requirements if your business falls into any of the following categories:
- provision of health services;
- related parties of entities that have an obligation to protect personal information they hold under the Privacy Act;
- in the business of trading personal information for benefit, service or advantage;
- credit reporting bodies;
- employee associations registered under the Fair Work Act; and
- those that “opt-in” to the scheme.
In addition, small business operators must also comply with the NDB scheme, only in relation to personal information held by the entity for the purpose of or in connection with the following activities:
- providing services to the Commonwealth under a contract;
- operating a residential tenancy database;
- reporting under certain Acts in relation to money laundering or counter terrorism;
- conducting a protected action ballot; and
- information retained under the mandatory data retention scheme as a part of the telecommunications Acts.
Therefore, even if you are a small business owner you may not be able to avoid the NDB scheme if you fall into any of the above categories. If you are captured under the scheme, and there is a data breach, you and your business will need to undertake a swift assessment of the situation. Where a breach is identified that is likely to cause serious harm, you need to notify the individuals involved as well as the Office of the Australian Information Commissioner as soon as practicable.
To ensure that you have secured all your customers’ information the Office of the Australian Information Commissioner provides various resources in relation to securing personal information and data breach preparation. It’s not only good practice to ensure that customer data is secure, it’s good business.