In the wake of the Optus data leak, legislation before Parliament will lift the maximum fine for serious or repeated breaches of the Privacy Act from $2.2m to up to $50m. But there are no guarantees that even the strongest safety measures will prevent an attack. So, what does that mean for business and their customers?
Legislation before Parliament will lift penalties for serious or repeated privacy breaches, provide new powers to the Australian Information Commissioner, require entities to provide detailed data to the Information Commissioner to assess public risk, and give the regulator greater information sharing powers. In a statement, Attorney General Mark Dreyfus said, “When Australians are asked to hand over their personal data they have a right to expect it will be protected.” But the question is, can any business claim that customer data will be protected from hackers?
If a customer needs to disclose their personal information to your business to work with you, at the point the data is collected, your business is the custodian of that data. A duty of care exists from the moment the data is collected to the point the information is no longer required and destroyed.
The Privacy Act requires organisations to take “reasonable steps” to protect the data collected. ‘Reasonable’ steps “requires the existence of facts which are sufficient to [persuade] a reasonable person.” That is, in the event of a data breach, the business will need to prove the steps they have taken to protect client data.
