The Privacy Act 2020 introduces new requirements for your organisation in the event of a privacy breach. A key requirement under the new Act is ensuring you are actively minimising the risk of privacy breaches. At a bare minimum, we recommend that you have a robust employee Computer and Information Security Policy and two-factor authentication for access to your company systems.
Before we go into detail on these two protections, let’s take a look at what to do in the event of a breach.
What is a privacy breach?
A privacy breach occurs when there is unauthorised or accidental access to someone’s personal information or disclosure, alteration, loss or destruction of personal information.
What to do in the event of a privacy breach?
Being open and transparent with people about how you’re handling their personal information is a fundamental rule of privacy.
1. Contain
In the event of a privacy breach, try and get the information back. You can also disable the systems that allowed the breach (e.g. a lost cell phone or laptop).
2. Assess
Assess whether the breach has or may cause serious harm to determine if the breach is notifiable. Consider:
– Any actions taken to reduce harm.
– Is the information sensitive?
– Type of harm the person may experience.
– Who has the information?
You can also use the self-assessment tool on the Privacy Commissioner’s website to help your assessment.
3. Notify
If a privacy breach has caused, or is likely to cause, serious harm you will need to notify:
– The Office of the Privacy Commissioner
– Affected individuals
– Third parties (e.g. the police) if applicable.
4. Prevent
The most effective way to prevent future breaches is to have a well-thought-out and implemented Computer and Information Security Policy.
Examples of a privacy breach?
Scenario 1
A receptionist at a medical centre regularly has client information on their screen, including their name, address, outstanding fees and dates of their last five appointments. Staff, patients and visitors are able to see their screen from the waiting areas.
Notifiable?
Yes. You will need to notify patients and the Office of the Privacy Commissioner.
Solutions:
– Staff training to lock their computer when not in use.
– Privacy screens for laptops and monitors to shield screens from viewers other than the user.
Scenario 2
An employee for a business consultancy firm misplaces a USB drive. On the drive are some working files detailing client applications for funding, including name, address, contact details and asset/debt information.
Notifiable?
While the information lost is sufficient to make this a notifiable privacy breach, if you are able to recover the USB drive and are certain no one else has accessed the information, no privacy breach actually occurred.
Solutions:
– Computer Security Policy detailing how information is stored and transported.
Scenario 3
An employee accidentally sends an email to the wrong “Stephen” confirming an upcoming meeting.
Notifiable?
Unless the meeting topic and contents of the email disclose sensitive information, this is not a notifiable privacy breach.
Solutions:
– Employee training.
Scenario 4
An employee loses their phone at a networking event. Their phone has Outlook, Teams and access to OneDrive.
Notifiable?
While the information that can be accessed on this phone is likely sufficient to make this a notifiable privacy breach, if you are able to recover the phone and are certain no one else has accessed the phone, no privacy breach actually occurred.
Solutions:
– Strong password or access via fingerprint.
How to protect against privacy breaches
There are two basic “must-haves” for minimising the risk of privacy breaches.
A Computer and Information Security Policy details how information within your organisation is stored, handled and accessed. It also lays out the rules for how your staff use and secure their computers and other devices such as smart phones. If you would like a copy of our Computer and Information Security Policy template, click here.
Two Factor Authentication (2FA) is a must have for securing information. When you apply 2FA to your systems, your staff must present two pieces of evidence proving they are who they say they are. Typically these two pieces of information are:
1. A password.
2. A verification code that is sent to their phone and then entered into the programme.
If you would like us to help set up 2FA on your systems, please get in touch.