Home' HR Monthly : April 2018 Contents April 2018 HRM magazine 39
Have an HR question? Access our online
AHRI:ASSIST resources for HR guidelines,
checklists and policy templates on different HR
topics, or ask your question online. Exclusive to
ata breaches are becoming more common
due to new ransomware and other
hazardous software. H R personnel
are often responsible for managing their
organisation’s privacy issues and are usually
involved in responding to privacy breaches.
As of February, any organisation covered
by the Privacy Act is obligated to notify the
Australian Information Commissioner and
affected individuals when there has been an
eligible data breach. Types of breaches will vary,
but examples include personal details such as
names and add resses or emails and passwords
accessed with potential for identity theft, and
bank account details stolen.
Organisations that fail to meet their
obligations under the new Privacy Act face a
potential $2.1 million fine.
Organisations holding large amounts of
personal information are most at risk.
A big mistake HR could make is waiting until
a breach happens and then scrambling to deal
with its obligations on the run. This may attract
the commissioner’s ire and lead to substantial
penalties. The smart response is to prepare early
for the notification regime.
Defining eligible breaches
An eligible data breach arises where there
is unauthorised access to, or unauthorised
disclosure or loss of personal information held
by an organisation and this is likely to result
in ‘serious harm’ to one or more individuals.
Common examples include where a device
containing personal information is lost or
stolen, or where a database containing personal
information is hacked.
Serious harm may include serious physical,
psychological, emotional, economic or financial
harm, or serious harm to reputation.
When evaluating whether ‘serious harm’
will occu r, H R must consider the following:
the kind of information it is and how sensitive
it is; whether the information is protected by
security measures such as a password, and the
vulnerability of those; the persons or kinds
of persons who have obtained or could
Secrets in the safe
New mandatory reporting of company data privacy breaches pose a big headache for HR.
BY ALISON BAKER PARTNER, HALL & WILCOX
obtain the information; and the nature of
If the breach includes employee personal
information, H R needs to assess whether the
Privacy Act’s ‘employee records exemption’
applies, or whether the notification obligations
have been triggered.
There is a tight time limit to respond under
the new reforms. If you suspect a breach, you
have 30 days to assess whether an eligible data
breach occurred – hence the need to have steps
in place early.
Any eligible data breach may be avoided if an
organisation has taken remedial action to ensure
‘serious harm’ does not occur to an individual,
and that a reasonable person would conclude
serious harm is not likely.
Steps HR can take
Prevention is the best defence, and organisations
should take the opportunity to put adequate
security measures in place to protect personal
information (as was already required by the
HR personnel can minimise their risks in the
• Preparing a data breach response plan
which identifies personnel responsible for
implementing the plan. It must set out ways for:
containing a data breach (e.g shutting down
websites, disabling access, etc) and
identifying the scope and effect of the breach
(e.g who has been affected, and how); what
information has been breached; what was the
sou rce of the breach; and whether serious harm
has occurred or is likely to occu r.
• Preparing a template notification statement
which can be populated and tailored to a unique
eligible data breach.
• Identifying ways to prevent future breaches:
for example, reviewing the organisation’s
privacy and security governance arrangements,
and fostering a security awareness culture.
• Training personnel regarding data breach
and general security obligations, and the
responsibilities each employee has in assisting
the entity to comply with those obligations. •••
22/3/18 3:55 pm
Links Archive March 2018 Navigation Previous Page Next Page