Lessons from the Optus Privacy Breach – Time to Check your Business Privacy Policy

By October 5, 2022 October 10th, 2022 Blogs, Business, Legislation, Policy & Procedure, Privacy

October 2022

Lessons from the Optus Privacy breach – Time to check your business Privacy Policy

Don’t let your business be the target of online hackers!

In the recent Optus cyber-attack, 9.8 million previous and current customers’ personal data was stolen.  Passport details, drivers’ licences, names, dates of birth, phone numbers, email addresses and Medicare cards were all part of the private data taken by hackers.

Maintaining the privacy of data collected from not just customers, clients and consumers of your business, but also your employees, is essential, so it is imperative to protect your business from fraud and scams by tightening its security.  It is your responsibility as a business owner, to protect the personal information of your customers and staff.

Theft, misuse of information, loss of data, unauthorised access and disclosure, can all be breaches of the Privacy Act 1988 (Cth) (Act).

Key Takeaways

  • The Act has 13 Australian Privacy Principles that govern standards for privacy.
  • Breaching any of the Privacy Principles is an ‘interference with the privacy of an individual’, leading to penalty action.
  • A cyber-attack on your business and the personal data held can put individuals whose information is involved in a data breach at risk of identity theft, fraud, harm and loss of money.
  • If there is an eligible data breach, businesses are required to notify the Office of the Australian Information Commissioner (OAIC) and all individuals affected by the data breach.
  • Penalties range from warnings and minor fines, to serious penalties of up to $2.1 million for breaches of privacy.
  • Tips to safeguard your collected information:
    • improve staff awareness of cyber security issues and threats
    • ensure multifactor authentication is in place for all remote access
    • install firewalls and anti-virus protections to safeguard from malware

How do you know whether you need to comply?

If your business has an annual turnover of more than $3 million (AUD), then you must comply with the Act.  If your business has an annual turnover of less than $3 million (AUD), you may still have to comply with the Act, depending on your business type.

Australian Privacy Principles

There are 13 Australian Privacy Principles governing the requirements on businesses for privacy under the Privacy Act.  These are:

  1. Open and transparent management of personal information
    • This aims to ensure that a business manages personal information in open and transparent ways.
  2. Anonymity and pseudonymity
    • Businesses who collect complaints or reviews must give individuals options not to identify themselves.
  3. Collection of solicited personal information
    • A business cannot obtain or request personal information from another entity. An entity can collect personal information where certain conditions are met, and individuals’ consent is obtained.
  4. Dealing with unsolicited personal information
    • If a business collects unsolicited information, meaning they have not taken steps to collect it but obtained it by error, they must destroy the information as soon as is reasonably practicable. If it is not required to be destroyed, the business must deal with the information in accordance with principles 5 to 13.
  5. Notification of the collection of personal information
    • A business must take all necessary steps to notify the individual(s) of information collected about them, for example the identity information collected, reasons for collection, and the Privacy Policy of the business.
  6. Use or disclosure of personal information
    • Individuals are to be made aware as to what purpose their information has been collected, and a business can only use and disclose the information in the way the individual expected.
  7. Direct marketing
    • A business must not use or disclose personal information it holds for the purpose of direct marketing, unless an exception applies (e.g. directly marketing goods or services to an individual through the use of this personal information).
  8. Cross‑border disclosure of personal information
    • Any information disclosed to an overseas entity must be protected and the business must ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information.  The business remains accountable for the overseas use of that information.
  9. Adoption, use or disclosure of government related identifiers
    • This principle restricts the adoption, use and disclosure of government related identifiers by businesses, unless an exception applies (e.g. the use of Medicare numbers, Centrelink reference numbers and drivers licence numbers).
  10. Quality of personal information
    • A business must take reasonable steps to ensure personal information it collects and uses is accurate, up-to-date and complete.
  11. Security of personal information
    • Buisinesses must take reasonable steps to protect personal information from misuse, interference and loss by unauthorised access or modification.  Where a business no longer needs the personal information for the purpose it was used, then the business must destroy or de-identify the information.
  12. Access to personal information
    • This principle requires a business holding personal information about an individual to give the individual access to that information on request.  It sets out the requirements on giving access, such as how access is to be provided and when it can be refused.
  13. Correction of personal information
    • A business is required to take steps to correct personal information it holds and ensure up-to-date and relevant information is held.

Individuals whose information has been involved in data breaches can be at risk of serious loss or damage.  Financial fraud, identity theft, physical harm or intimidation and family violence are examples of these risks.

A breach of an Australian Privacy Principle is known as an ‘interference with the privacy of an individual’ and can lead to regulatory action and penalties.

Section 80W of the Act allows the OAIC to apply to the Federal Court for an order that a business who has contravened a civil penalty provision in the Act, pay the Commonwealth a penalty.  A business will be in breach of the Act, if it:

  • Breaches an Australian Privacy Principle in relation to personal information;
  • Breaches a registered Australian Privacy Principle Code, where the business operates under a registered APP Code;
  • Acts contrary to or inconsistent with an Australian Privacy Principle and that organisation has a commonwealth government contract.

Eligible Data Breach

Part IIIC of the Privacy Act requires businesses to notify affected individuals and the OAIC of certain data breaches.

Under Section 26WE(2), an eligible data breach occurs when:

  • There is unauthorised access to, or disclosure of personal information held by a business;
  • This unauthorised access is likely to result in serious harm to any individuals to whom the information relates;
  • The business has been unable to prevent the likely risk of serious harm with any remedial action.

However, the National Data Breach Scheme provides businesses with the opportunity to take steps to address the breach in a timely manner and avoid the need to notify.  If the circumstances:

  • fall within the exception under the Act, and
  • the business takes remedial action, and
  • that data breach would not be likely to result in serious harm,

then the breach does not have to be reported or actioned within the requirements of “an eligible data breach“.

If an eligible data breach has occurred or the business suspects that an eligible data breach has occurred, the business is required to complete an assessment within the terms of the Act, within 30 calendar days after becoming aware of the breach, or suspected breach.

Where there is an eligible data breach, there are requirements for:

  • the preparation of a statement complying with the Act, and
  • notification to individuals affected by the breach, and
  • notification to the OAIC; and
  • the publication of a statement on the website of the business, and other public forums.

Penalties

Where there has been a breach of the Act, the OAIC can tale regulatory action, including the following:

  • obtain orders for an enforceable undertaking and commence proceedings to enforce the undertaking;
  • seek an injunction to prevent ongoing activity; and
  • apply to a Court for a civil penalty (fines range from 2000 penalty units to 50,000 penalty units, where businesses can face fines of up to $2.1 million dollars and individual can face fines of up to $420,000, for serious breaches).

 Contact Us

We are experts in corporate and commercial law.  If you are dealing with any privacy related issues for your business, we would be happy to assist and provide you with specific advice on the best course of action available.

For further information, please call us on (02) 9189 5288.

Nicole Sarraf and Craig Higginbotham
5 October 2022

Leave a Reply