Help protect your employees
As an employer, you’re responsible for the safekeeping of any personally identifiable information and data you collect.
Any organisation that collects or trades in personally identifiable information is potentially at risk of a data breach so it’s important to have a plan in place setting out how this information will be managed.
The Office of the Australian Information Commissioner (OAIC) defines a data breach as 'unauthorised access or disclosure of personal information, or loss of personal information.'1
This can relate to a person’s private or family life – including their name, signature, bank account and employment details; information about a person’s working habits and practices – like their work address and contact details, salary and job title; or commentary or opinion about a person.
As an employer, it’s necessary to have access to much of this information, yet it’s important it’s stored and managed appropriately so your employees are protected.
Preventing a data breach
To reduce the risk of a breach, before it occurs, it’s a good idea to know what data you hold and how it’s being used. The checklist below can help you better understand this:
- Complete a privacy and security risk assessment every year – to identify what data your organisation holds, how it’s used and how it’s protected. This process should identify any potential risks to your organisation which your employees’ data might be susceptible to and evaluate how personal and sensitive information is currently managed.
- Create a plan to assess privacy incidents – decide how you will assess privacy incidents and have a business system in place to help you quickly assess the severity of a breach if it does happen.
- Develop a response plan – it’s important to have a response plan and team in place prior to any data breach incidents so these can be handled efficiently and effectively.
- Keep up-to-date – as laws and technologies change, your approach to data storage and safety must also adapt. Update your response plan regularly to make sure it’s still meeting its objectives.
What to do if there’s a data breach
If a data breach does occur, having a response plan ready to go can help you manage the situation well. This plan should be developed well in advance and all team members must know where to access it and how to act on it. A data breach response plan should address four basic steps:
- Contain the data breach to prevent any further compromise of personal and sensitive information.
- Assess and gather facts and evaluate the extent of the breach. If possible, take steps to remediate any risks of harm for individuals.
- Notify the individuals and the OAIC if required.
- Review the incident to understand how it occurred and what steps need to be taken to prevent future occurrences. Make sure to update your response plan in light of this.
For more information on your responsibilities for employees’ data and how to prepare and respond to a data breach visit the OAIC website.
Legislation and penalties
As of 22 February this year, all businesses that already have obligations under the Privacy Act 1988 or have an annual turnover of $3 million or above are now bound by the Notifiable Data Breaches Scheme.2
This requires them to report any data breaches that have the potential of 'serious harm3' to the OAIC and the individuals affected. If the business fails to do this, they could be fined up to $2.1 million.4
These measures are intended to increase the accountability around personal information and to give individuals the chance to reduce their risk of harm by re-securing compromised online accounts.