Strengthen protections on personal info
From February 22, 2018 the Privacy Act is changing. This will affect how a data breach is reported
What changes?
Organisations that hold personal information will be required to:
Take reasonable steps to secure this information.
Next, notify individuals whose information is involved in a data breach that is likely to result in serious harm. The Australian Information Commissioner must also be notified of eligible data breaches.
In English?
If you hold personal data and there is a possibility that it has been lost, stolen or even accessed by somebody, you MUST notify the affected individual/s AND the government.
Who does this apply to?
Any organisation that holds personal information AND has a turnover of more than $3 million dollars, ALL Health Service Providers, Credit Reporting Agencies and TFN Recipients.
When does this apply?
The scheme comes into place on February 22nd, 2018.
Why? And who's at risk of a data breach?
This scheme strengthens protections to personal information.
It’s similar to schemes already in place in the US and the UK and in the opinion of security professionals, long overdue.
Anyone is at risk, in fact security measures can only protect insofar as people are willing to implement and use them. Any Patient or Customer data lost to a malicious third party can be incredibly damaging. Furthermore, can tarnish a business name or lead to a costly legal battle.
What do I have to do before and after a data breach?
- You must take reasonable steps to ensure the security of the data you hold.
- You need a Data Breach Response Plan < here’s one you can use for free.
- Your business should have a Network and Security Audit done at least annually or after significant change.
- If you suspect a data breach, you must conduct an assessment within 30 days.
- Additionally, You must notify both affected individuals and the government if there is a breach that is “likely to result in serious harm”.
- Finally, you must take remedial action and enhance your security measures to prevent further loss.
How can Health IT help?
Health IT provide a layered approach to security which includes:
1. People Security (Training, common sense)
2. Physical Security (Server accessibility, screen locks etc.)
3. Network Security (Managed Firewall, Spam protection)
4. Endpoint Security (Managed Anti-virus, anti-spyware)
5. Application Security (Appropriate permissions, Principle of least privilege)
6. Data Security (Backup and Disaster Recovery)
If I ignore this will it go away?
No. Failure to take reasonable steps before or after a breach can result in penalties of up to $360,000 for individuals and $1.8 million for organisations.
Where can I find more information?
Talk to us or see the Office of the Australian Information Commissioner – https://www.oaic.gov.au/
“Security is a process, not a product”
Adam Kostanski, OzDoc Solutions