The announcement of increased penalties for misuse of personal information by entities covered by the Privacy Act serves as a reminder of the importance of ensuring that your not-for-profit organisation has robust data and personal information handling practices in place. Is your organisation prepared to handle and respond to a data breach?
While it’s easy to think that this will never happen to you, the evidence shows that data breaches are by no means rare occurrences in Australia. Over 964 data breaches were reported to the Office of the Australian Information Commission during the first year of the notifiable data breach scheme alone, of which 60% were the result of malicious or criminal attacks.
Privacy policy & privacy notice
The starting point when it comes to strong data and personal information practices is your not-for-profit organisation’s privacy policy. An effective privacy policy will help the public to understand how your organisation will handle the personal information it collects.
This policy must be kept up to date and should provide clear and detailed information on your collection and use of information including:
- What type of personal information your organisation collects;
- How and why your organisation collects that information;
- How your organisation will hold the information it collects;
- What purposes will your organisation use the information for; and
- Who will have access to the information, and how is it being protected.
Periodically reviewing your privacy policy is an effective way to make sure that you understand exactly what types of personal information and data your organisation is collecting, and how you are handling that data and information.
The privacy policy should also be supported by a separate notice of collection to be given to your clients to sign at or before the time your organisation collects their personal information.
Data breach response plan
The next step is to consider how your organisation will respond in the event of a suspected data breach. Prudent not-for-profit organisations should ensure that they have an appropriate data breach response plan in place in advance which addresses:
- Who is responsible for handling and responding to a suspected data breach?
- How will a suspected data breach be investigated?
- What steps must be taken if a data breach has occurred?
- Who must be notified of the data breach and how must this occur?
- What steps must be taken to minimise the risk of harm to affected clients?
- What timeframes apply to responding to the data breach?
These are just a few of the issues to consider in relation to the collection and management of data and personal information.
Please contact us if you would like further information about your organisation’s privacy or data breach obligations under the Privacy Act.
The post Are you prepared for a data breach? appeared first on CRH Law.