Who we areWhat we doPathwiseUC F&BUC HealthUC TechUC CreativeArticles & ResourcesJoin the NetworkContact Us

5 Key Privacy Tips: How to survive in a post-Optus compliance landscape

November 18, 2022

5 Key Privacy Tips: How to survive in a post-Optus compliance landscape

Universal Counsel #optusdatabreach #privacylaw #auslaw #tips #compliance #tech #UCthedifference #UCtech

The Office of the Australian Information Commissioner (OAIC) has this week announced a formal investigation of the circumstances surrounding the recent Optus data breach affecting 9 million Australians. If Optus is found liable for breaches of the Privacy Act, they could be looking at fines of up to $2.2 million per contravention. The fall out from the handling of this massive data breach could, however, end up costing Optus - and ultimately many other Australian businesses - a whole lot more with recent public calls for everything from massive penalty increases to complete overhauls of privacy law and regulatory powers.

Without minimising the significance of privacy and data breach to individuals and businesses both, we can first put things in perspective here: Australia already has some of the most proscriptive privacy laws in the world, and I'm broadly of the opinion that the system of obligations and penalties we do have currently strikes a decent balance between commercial pragmatism and effective pecuniary dis/incentives.

Are you one of the 9 million people who received an email from Optus? I am. But I'm also a the owner of a small business, a business that was - like most law firms, accountants, banks, and other businesses (including telcos) likely to be rich for the picking - targeted by a relatively sophisticated phishing scheme just yesterday. The reality is that we live in an increasingly technologically complex world, and one in which most individuals have generally little care and less control in relation to use of and access to their personal information. Data breaches happen. While you can't hope to avoid one forever, you can plan for it, and work to minimise both the potential impact on your business and individuals as well as the risk of penalties or other regulatory action for non-compliance.

So, let's talk about how you can avoid 'doing an Optus' and keep your business (and your customers, users, and employees) protected. We've got 5 key tips below to get you going, and Pathwise - powered by Universal Counsel - to help you get your privacy compliance project done and dusted. Reach out to us at contact@universalcounsel.com.au today.

1. KNOW YOUR STUFF

When we're talking privacy in Australia, we're talking specifically about 'personal information'; that's information about an individual by which that individual is or can be identified. This generally doesn't include other sensitive information like credit card details, financial information, employee records, or information about a company or business (not an individual). The Privacy Act contains our laws regarding personal information, but it is not the only law in Australia that creates obligations in relation to information handling and data security.

Does the Privacy Act apply to you?

If your business has an annual turnover of more than $3 million, the Privacy Act applies and you need to be informed of your responsibilities in relation to collecting, storing, using, disclosing, and destroying personal information (largely contained in the Australian Privacy Principles) and - as Optus is all to aware - managing risks and consequences in relation to notifiable data breaches.

Some businesses whose turnover is less than $3 million may also be subject to the Privacy Act, including our UC.Health clients, those of our UC.Tech clients that are in the business of handling information, and UC.Creative businesses that are Commonwealth government contractors. You will also have responsibilities if you’ve voluntarily opted-in to the Privacy Act. It's important that businesses that elect to have a public privacy policy understand that choice may be sufficient to cause them to be subject to the broader provisions of the Privacy Act, even if compliance would not otherwise be mandatory.

What other overlapping obligations apply?

Other Commonwealth and state laws can both modify the application of the Privacy Act (like the Fair Work Act, which exclusively governs the handling of personal information that constitutes an 'employee record') and create additional co-existing obligations around the collection, retention, and destruction of personal information. These obligations are typically industry or activity-specific, but may not always be front of mind, even for experienced traders. A few examples from recent Universal Counsel matters:

  • UC.Health clients are likely to be subject to state-based health records obligations regarding mandatory retention, use, and disclosure of personal information constituting a health record (but this can also apply to UC.Tech clients who collect information in relation to health services);
  • Second-hand goods dealers may be subject to state-based regulation requiring the collection and retention of transaction and identity information in relation to sellers and customers (a fraud/criminal conversion protection measure);
  • Companies have obligations to maintain certain records for a minimum of 5 or 7 years and you must not destroy any information that is relevant to current or anticipated litigation - any and all of which may include personal information; and
  • A suite of Commonwealth Telecommunications instruments mandate specific reporting protocols in the event of a data breach, provide more detail around action required to sufficiently secure personal information, and retain certain data for a fixed period (again, for the purposes of facilitating criminal investigations).

Critically, the Privacy Act imposes general obligations around the collection, use, and retention of personal information which basically amount to 'take (and keep) only what you need'. You are not in breach of your obligations under the Privacy Act where you are retaining information you are required by law to retain - but you need to ensure that your communications with individuals and trading partners accurately reflect your actual data handling procedures.

BEWARE: you may also agree to undertake obligations relevant to personal information (and other data to which the Privacy Act does not apply) under contracts with your trading partners. This may be stricter than your obligations at law (and, in unfortunate circumstances, may conflict with those obligations). While the OAIC won't pursue you for breach of contract, the financial consequences of civil action for contractual breach may be an even more immediate and significant threat.

2. GET YOUR POLICIES, PROCEDURES & PLAYERS IN PLACE

Under the Privacy Act we have 13 Australian Privacy Principles (‘APPs’). Among these are are obligations to have a public privacy policy, to only collect, use and retain information that is needed to provide your goods or services, and to take active steps to ensure that personal information is securely stored. The OAIC is investigating to see whether Optus had taken these steps to protect their customers’ data. Generally, the APPs and associated guidance say that you should be implementing policies and procedures in relation to the following (where applicable):

  • data breach handling;
  • physical security, ICT security, identification/authentication and access;
  • internal practices, procedures and systems as well as governance, culture and training;
  • third party providers; and
  • destruction and/or de-identification of data.

Remember that individuals have the general right to ask what information you hold about them and to request the destruction/return or de-identification of their personal information. If fulfilling a request of this kind could conflict with your obligations at law, you need to have a script in place and key people trained to manage communications as well as data-handling processes.

When we facilitate implementation of a Path to Compliance plan for UC clients, we always look to cement or establish clear communication/reporting lines and an ultimate Risk/Crisis Committee responsible for co-ordinating key efforts, providing essential advice, and making the important decisions. The risks managed by this committee are not just legal, but commercial, physical, and reputational, so your representatives should include both key executives within the business but also external advisors like your insurance broker, risk/compliance-expert lawyer, and a PR expert specialising in crisis. The power of the Universal Counsel model is the ability to connect you with an team of experts who don't just know their stuff, but know what matters to your business.

3. TRAINING MONTAGE TIME

Coming up with a compliance plan is only the first step on your path; effective risk mitigation requires implementation, auditing, and regular refreshes. Imagine "Eye of the Tiger" playing in the background if that'll inspire the necessary motivation... and remember that you're not in this alone. Our Universal Counsel privacy experts are always on call and always in your corner, and our retainer clients receive annual training and compliance audits as added relationship value.

If your key staff members aren't aware of processes and policies across your organisation, then inconsistencies (and liabilities) are bound to arise. Despite a lot of 'yes Optus (is to blame)' finger pointing recently, a business has not necessarily breached the law or committed a wrong - and you will not necessarily be subject to a penalty - simply because a data breach has occurred. Where you will run into trouble is if you have not abided by the APPs or obligations under separate legislation. Added to that, while penalties can generally only be applied by regulatory authorities, your business may be left with a bill for compensatory (and potentially exemplary) damages should you be found liable for negligence, breach of contract, or misleading/deceptive conduct in relation to a data breach where individuals or customers/clients concerned have suffered loss as a result of your acts or omissions.

TL;DR: it's all very well to have great policies in place, but your people need to understand and abide by them day to day to minimise the likelihood of a breach occurring and rule out the risk of penalties or successful claims. Regular, relevant training is the key.

The good news is that your insurer knows this to be true too, and they may subsidise or provide other incentives in support of privacy (and other) compliance training programs. Speak to one of our insurance, risk, and compliance experts today about maximising the benefits of a clear compliance plan for your business.

4. GAME ON: SECURE DATA STORAGE

At Universal Counsel, we speak 'tech' and our UC.Tech experts are always happy to translate. Here are a few of our systems, programs, and processes tips for every business (no matter how low-fi):

  • Cloud-based storage (vs local servers) is generally now viewed as the more secure method, but you will need to consider implications regarding the APP 'overseas disclosure' provisions, and ensure you use only reputable and reliable service providers like AWS.
  • Siloing or segregation of information is one of the most effective systemic means of reducing data breach risk - if someone does gain access to your system, they should only be able to access one complete record at a time through the user interface, and otherwise only be able to hack into (at most) lists of one type of information, like an email address, without accessing the attached name, date of birth, etc. Through this measure, what is accessed may not actually actually constitute 'personal information' and will otherwise be far less likely to cause harm if used.
  • Encryption can be used together with the above data storage approaches and is an option for protecting data (particularly when being communicated to other systems) that is now available directly or via plug-ins through many common programs and platforms, including Outlook. If encrypted data is accessed without the corresponding key, the information cannot be read (and is no longer personal information).
  • Regular audits & purges are both explicitly required under the APPs and strongly recommended procedures for every business, even if the volume of personal information you collect and store is limited. Breaches are often only discovered after the fact through these kinds of checks, but the larger the time difference between event and action the greater the likelihood that you will be found to have breached your obligations.
  • Don't use government identifiers: a specific but lesser-known rule under the Privacy Act to protect higher value/risk information (and one potentially relevant to the Optus event). You may be required to retain government identifiers like passport numbers under industry/activity-specific laws, but you must not use those identifiers to identify or organise individuals within your database.

The ACSC has a range of clear and practical general tips for addressing data security risks in your business, but our experts at Universal Counsel can help to prepare and implement an end-to-end compliance and risk plan suited to your business' specific needs.

5. OVERTIME: THE HUMAN FACTOR v MULTI-FACTOR

Definition of data breach: when information is lost or subjected to actual or potential unauthorized access, modification, use, disclosure or other misuse. A breach will be 'notifiable' (requiring reporting to the OAIC and parties concerned) if it:(a) occurs in respect of data that is 'personal information', and (b) is likely to result in ‘serious harm’ to an affected individual.

People matter. Our privacy laws are ultimately in place to protect real people from harm, but it is also your people that will likely be the biggest factor in determining the likelihood of, and severity of consequences arising from, a data breach.

The Australian Cyber Security Centre (ACSC) along with all other leading authorities commonly state that the introduction of multi-factor authentication processes is the single most effective way to reduce data security risk and, in most data breach cases, would have been sufficient on its own to prevent the breach. While too-simple passwords can be cracked, this kind of exposure most commonly arises from 'the human factor' - inexpert individuals who are tricked into providing password details to scammers through increasingly sophisticated targeted attacks, or people with a keen eye for opportunity.

If you walk away with only one idea from this article it should be this: mistakes happen and you cannot eliminate the risk of data breach; however, you can greatly reduce the significance of that risk and the potential consequences by implementing technological solutions to compensate for very human weaknesses. Having to verify your identity multiple times may be annoying but it will be a far greater annoyance to scammers when they are locked out of your systems.

KEY TAKE-AWAYS

All businesses can take the following actions to ensure compliance and minimise risk in relation to potential data breaches. Reach out to us today at contact@universalcounsel.com.au for your personalised Path to Compliance plan:

  1. Understand the obligations at law that are specifically applicable to your business in relation to privacy and data breach compliance and procedure.
  2. Have a privacy policy (public, or internal if not required by law) and a notifiable data breach procedure/policy (internal). Put your Crisis Council to work.
  3. Get training for your key staff members on your business' obligations and its policies, as well as best-practice cybersecurity and avoiding scams. Make sure that what you say you do aligns with what you actually do.
  4. Use industry-standard systems, programs, and processes to store data securely in dispersed and siloed/segregated locations and (as appropriate) in encrypted form so that, if hacked, complete records are not accessed, and the data is not in useful form.
  5. Use multi-factor authentication and limit individual access to data, make sure you keep current lists of who has access and require passwords to be changed regularly.

Recent Posts

All Articles

Hard Lessons from “Hard Solo” for Alcohol and Non-Alc Alternatives NPD

Want to keep your business out of NPD hot water (with or without lemon)? Be proactive, be prepared & remember that UC F&B's here to help. Hard lessons from Hard Solo; a UC F&B Deep Dive.

Read More

UC How To: Navigating Online Content, Claims & Conflict

This blog and downloadable UC How-To are here to help you manage risk & capture opportunity online and on social media, with special tips for health & food businesses.

Read More

PATHWISE NPD 101: Permissions Pathways - Claims

Learn what can and can't be said about food products, including functional foods and beverages. We tackle the whats, whys, and where-to-from-heres in UC F&B's second NPD 101 instalment.

Read More

Sign up to our Mailing List for more free resources!

If you want to learn more about Universal Counsel's services and solutions, and get updates on the things that matter to you, leave your email address below.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form. Please try again.
Connect with Us

or follow us for insights and updates

Join our network.

Are you an expert interested in making new connections? Contact us to find out how UC can work for you.

All rights reserved. Copyright Universal Counsel, 2021. Site by Studio-Barrie

Liability limited by a scheme approved under Professional Standards Legislation.

Universal Counsel acknowledges the traditional owners of the land on which we live and work, the Wurrundjeri People of the Kulin Nation. We pay respects to Elders, past, present and emerging, and to all First Nations People.