Any business in Australia that holds customer or supplier information has a responsibility to ensure that their data is secure from any unwanted access to personal information they hold. The Notifiable Data Breach (NDB) scheme requires businesses to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This scheme usually applies to larger businesses but could capture sole traders, individuals, trusts and partnerships (however small) under certain circumstances.

If you run a business it is inevitable that you will be collecting data from customers, whether it is names, birthdays, credit card details or other personal information, to enable you to run and grow your business. It is perhaps no great surprise that the handling of personal information also comes with great responsibility.

Sole traders, individuals, body corporates, partnerships, unincorporated associations, or trusts that have not had an annual turnover of more than $3m in any financial year since 2001 are exempt from the reporting requirements (the small business operator exception). However, even if you are considered to be a small business operator, you may not be exempt from reporting requirements if your business falls into any of the following categories:

• Provision of health services;
• Related parties of entities that have an obligation to protect personal information they hold under the Privacy Act;
• In the business of trading personal information for benefit, service or advantage;
• Credit reporting bodies;
• Employee associations registered under the Fair Work Act; and
• Those that “opt-in” to the scheme.

In addition, small business operators must also comply with the NDB scheme, only in relation to personal information held by the entity for the purpose of or in connection with the following activities:

• Providing services to the Commonwealth under a contract;
• Operating a residential tenancy database;
• Reporting under certain Acts in relation to money laundering or counter terrorism;
• Conducting a protected action ballot; and
• Information retained under the mandatory data retention scheme as a part of the telecommunications Acts.

If you are captured under the NDB scheme and a data breach occurs, your business will need to undertake the following steps:

1. Take immediate action to rectify the breach and limit any further access to your systems data.
2. Assess whether the data breach is likely to result in serious harm to any of the individuals whose information was involved.
3. If serious harm is likely, the Office of the Australian Information Commissioner (OAIC) must be notified of the breach.
4. All individuals who are likely to result in serious harm due to the data breach must be notified.
5. The business must review the incident and take actions to ensure the breach does not occur again.
6. Reporting the incident to relevant bodies such as the police or the Australian Cyber Security Centre should be considered.

Tips on keeping personal information secure 

• Consider whether it is actually necessary to collect and hold personal information in order to carry out your functions or activities.
• Plan how personal information will be handled by embedding privacy protections into the design of information handling practices.
• Assess the risks associated with the collection of the personal information due to a new act, practice, and change to an existing project or as part of business as usual.
• Take appropriate steps and put into place strategies to protect personal information that you hold.
• Destroy or de-identify the personal information when it is no longer needed.
• Ensure your computer/server’s protection software is up to date.

What’s next? 

To ensure that you have secured all your customers’ information the OAIC provides various resources in relation to securing personal information and data breach preparation. It’s not only good practice to ensure that customer data is secure, it’s good business.