If you’ve been reading the biz news or scrolling through LinkedIn lately you will be aware that the Privacy Act is changing in 2018. What you may not know is how this is likely to affect your association. Here is a summary of the changes to the Act and an overview on what the implications will be in the association sector.
With associations being responsible for member records it is of importance to the sector to protect themselves from data breaches.
Tabled as the most significant changes to the Australian Privacy Act 1988, the new Privacy Amendment (Notifiable Data Breaches) Act 2017 will come into effect from 22nd February 2018.
The Amendment means that any eligible data breach must, by law, be reported to the Office of the Australian Information Commissioner (OAIC).
In an article from March this year , Luke Hooper, Special Counsel at Mills Oakley, summarises an eligible data breach as:
(i) there is unauthorised access to, or unauthorised disclosure of, Information held by an entity; or
(ii) information is lost in circumstances where there is likely to be unauthorised access to or unauthorised disclosure of Information; and
(b) a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the Information relates.
In the event of an eligible data breach, notification must be made to the OAIC within 30 days. KPMG outlines the notification process as:
When an organisation suspects that there may have been an eligible data breach, but aren’t yet sure, then all reasonable steps are required to be taken to ensure an assessment is completed within 30 days
When an entity becomes aware that there has been an eligible data breach, they must, as soon as practicable:
• prepare a statement that includes details of the breach and recommendations of the steps individuals take; and
• Give a copy of the statement to the OAIC.
KPMG’s article notes that:
To avoid a data breach becoming a notifiable data breach you must be actively monitoring data breach and data loss events, and have in place a process to assess and take action to respond to those events. Then, if a reasonable person would conclude that the data breach would not likely result in serious harm to those individuals, a data breach can avoid becoming an eligible data breach.
So, associations must now consider preparing and implementing privacy procedures to assist in both the prevention of data breaches and in the event of data breaches.
To compound upcoming privacy changes, the much discussed GDPR also comes into effect in 2018. The General Data Protection Regulation comes into effect in May, under the European Union. Whilst not an Australian law, the GDPR will affect Australian associations if they:
have an establishment in the EU (regardless of whether they process personal data in the EU), or
do not have an establishment in the EU, but offer goods and services or monitor the behaviour of individuals in the EU.
Like the Privacy Act, the GDPR will serve to protect ‘personal data’. The KPMG article notes the following:
The GDPR not only applies to the processors of personal data (the outsourcing party in an outsourced relationship, for example), that are established inside the EU – whether or not that processing actually occurs within the EU, but also to the processors and controllers outside the EU where an organisation:
• offers goods and services to individuals inside the EU, even if no payment is required; or
• monitors the behaviour of individuals within the EU – especially if you perform analysis or profiling of that activity for predictive purposes.
Whilst it may seem clear that by having a website that allows people in the EU to use your products or services you are captured by the requirements of the GDPR, it isn’t that simple. Other factors such as whether you accept payment in Euros, or offer a native-language version of your site are important considerations when determining whether the GDPR applies to you.
If they are covered by the GDPR, organisations will also need to appoint a representative within the EU to be the point of contact for supervisory authorities and data subjects on all issues related to processing of personal data.
(You can read the full KPMG article here.)
For associations that fall under GDPR guidelines, pre-planning to ensure data protection policies are current and regularly reviewed should be underway now.
Between the Privacy Act changes and the introduction to GDPR all organisations, including associations, must take additional steps to protect the personal data they are entrusted with.
This topic will be amongst those covered at the upcoming Strategic Board Series: Future Proof your Association for 2018. Read more and register here.