In February 2017, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed through Parliament into law with a commencement date of February 2018. The key objective of the legislation is to bring accountability and transparency to organisations, which hold the personal information of individuals. The accountability comes in the form of remedial action in the event of a data breach by the holder of the personal information. Many holders of personal information including bookkeepers may be impacted. The Bill also has the intention to encourage business to improve their data security protocols.
Who is impacted?
In a nutshell, the new regime requires certain organisations (many businesses and government agencies) to notify individuals likely to be seriously impacted in the event of a data breach at that organisation. These organisations include:
- All entities subject to the Commonwealth Privacy Act (most government agencies and private sector organisations with a turnover of $3 million or more)
- Certain credits providers
- Credit reporting bodies, and
- TFN recipients.
Even if your business has a turnover of less than $3 million and is therefore not caught by Category (a), our preliminary advice from the Office of the Australian Information Commissioner (OAIC) and the ATO is that bookkeepers will very likely be regarded as “TFN recipients”. That is, holders of individual’s TFNs, and therefore be required to comply with this new regime. You are deemed to hold TFNs in circumstances where they are held on any device including mobile phones, portable computers, USBs, networks, paper records etc. An example of the subject data that a bookkeeper might control could typically be found on a client's payroll file where data such as TFN, salary, bank account details, addresses, family details and more can be found. The new regime only applies to TFN recipients to the extent that TFN information is involved in a data breach.
The new legislation considers a breach to have occurred when data is accessed by an unauthorised entity, and that generates a real risk of serious harm to the individuals whose personal information has been disclosed. Data breaches need not involve malicious actions from third parties (such as theft or hacking). Rather they can also result from internal errors or process failures that cause accidental loss or disclosure.
Notification of data breaches
Drilling down into the details of the legislation, the remedial action that an organisation must take is in the form of a notification. Specifically, the legislation requires the above-listed organisations to notify “eligible data breaches” - which are likely to result in serious harm to any individuals to which the information relates - to the OAIC and also to the affected individuals themselves. Notification must be made as soon as possible after the organisation becomes aware that “there are reasonable grounds to believe that there has been an eligible data breach of the entity”. Examples of an “eligible data breach” are quite wide-ranging and include when:
- A device containing a client’s personal information is lost or stolen and there is no way of managing it remotely or ensuring that it hasn’t been accessed
- A database containing personal information is hacked
- Personal information is mistakenly provided to the wrong person (staff accidentally email personal information of a client to another individual).
- There is unauthorised access to a spreadsheet containing client financial information.
Because of the nature of client information held by bookkeepers (TFNs, bank account details, names, addresses, financial data) if a breach does occur it may well have the potential to result in “serious harm” to an individual or business (for instance, financial harm and even identity theft) and thus require notification. As stated, notification must be made to not only the OAIC, but affected individuals. This includes clients and potentially all of their employees/customers/associates whose personal information/data is contained in a client software file for example. Indeed, if your own systems/passwords were hacked you may in the worst cases be required to notify all your clients, and all of their employees/associates etc. The requirement to notify may therefore have a crippling effect on the reputation of your business, not to mention be an onerous process to undertake. It may also open you to civil action by these parties. Failure to comply with the legislation itself (by not making notifications where breaches have occurred) may result in fines from the OAIC (maximum $1.8 million corporations, $60,000 individuals).
Data security protocols
With many bookkeepers likely to be ensnared by this new data breach notification regime, prudent bookkeeping businesses will review their data security controls and make improvements where required. To this end, the legislation makes clear that when determining whether a breach is likely to result in “serious harm” (and therefore trigger the requirement to notify) a relevant factor will be your security controls (e.g. encryption). Where these controls/measures are robust, this will lessen the risk of an ‘eligible data breach’ under the legislation, and indeed any sort of a breach at first instance by the hacker.
- Be certain that the new regime applies to you – Australian Bookkeepers Association is chasing this aspect down with relevant authorities and will advise you subsequently
- Be aware of your obligations
- Keep abreast of additional guidelines released by the OAIC as we near the legislation’s commencement date
- Have rigorous IT and information security protocols in place
- Ensure you have PI coverage for cyber breaches
- Consider whether your business should have a limited liability structure (such as a company or trust)
Leaving aside the new legislative regime (which is not due to come on stream until next year, and will need a number of aspects to be clarified before this time) information/data security should be front of mind for all bookkeeping and accounting practices given the sensitive nature of the client information held, and also how ransomware and other IT nasties can cripple any business.
Peter Thorp, director, Australian Bookkeepers Network