• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Bolter

Bolter

  • About
    • Our Origin
    • Join Us
  • Services
    • Commercial and Company Law
    • Intellectual Property & Trade Marks
    • Tax, Structuring and Planning
    • Workplace and Employment Law
    • Minor Disputes & Dispute Resolution
    • Property & Leasing
    • Startup Lawyer FAQ
  • Little Giant Startup Grant
    • About
    • 2021 Finalists
    • 2021 Winner
  • Legal Documents
    • Our Packs
    • BoltDocs
  • Resources
    • First Strike Blog
    • Business Plan Template
  • Contact
  • Email
  • Facebook
  • Instagram
  • LinkedIn
  • Twitter

I’m only a startup, should I be worried about my obligations under the Privacy Act?

You are here: Home / Intellectual Property & Trade Marks / I’m only a startup, should I be worried about my obligations under the Privacy Act?

November 30, 2021 by bolter

Good question! Firstly, realise you’re a potential target because you are a start up! Despite your relatively small organisation size, it is important to create a foundation of strong data protection and security practices. An information-centric approach for small businesses could be key to mitigating the risk posed by hackers in attacking vulnerable small entities.

While Australian privacy and information security laws are complex, it is important to understand you and your businesses obligations. If your business suffers a notifiable data breach (NDB) there are important steps to follow to comply with Australian privacy laws.

What is the Privacy Act?
The Privacy Act 1988 (Cth) (the Act) regulates the way organisations handle, disclose and use an individual’s personal information. The Act primarily regulates Australian Government agencies and organisations with an annual turnover greater than $3 million, small businesses who opt-in or businesses who deal with health data and credit reporting.

What is the NDB Scheme?
Any organisation regulated by the Privacy Act must notify their affected individuals and the Office of the Australian Information Commissioner (OAIC) when an information data breach is likely to result in serious harm to an individual.

A data breach occurs when personal information held by an organisation is lost or subjected to access or disclosure. Most commonly, this regulates data information hacking and accidental disclosure (such as releasing personal information to the wrong person).

An organisation that suspects an eligible data breach may have occurred must act quickly to assess the incident. We recommend you have a legal expert assess whether or not a data breach falls within the NDB scheme, thereby mandating its reporting to the OAIC and affected individuals. If you get this wrong, the implications can be significant.

What happens if I have an NDB incident?
In the event that a notifiable data breach incident occurs, you should complete an Eligible Data Breach Statement within thirty (30) calendar days of the data breach. This statement is available online on the OAIC website. Then, using the Eligible Data Breach Statement content, you should prepare and send out a notification separately to those affected by the breach. We recommend having a legal professional draft this notification and, on occasion, a public relations or brand reputation expert involved in the communications.

Finally, you should consider whether you are required to notify your insurer under any policies of insurance (cyber insurance or otherwise).  Early notification can offer significant assistance in funding legal or cyber advice and in the preparation of the Eligible Data Breach Statement.

What happens if I fail to notify the OAIC?
The Australian Information Commissioner has broad powers to enforce penalties against businesses that interfere with an individual’s privacy. The maximum penalty for the successful prosecution of this interference may include a civil penalty of up to $402,000 for individuals and $2,100,000 for corporations.

How does my organisation stay protected?
While it is impossible to guarantee that personal information is entirely secure and safe, there are several preventative and response measures your organisation should implement to protect against and lessen the impact of a data breach.

To prevent data breaches, there are organisational and personnel prevention methods to deploy within your organisation. To protect the organisation broadly, ensure physical and electronic records are stored securely and only accessible to the personnel who require access, that you use up to date adequate security software, conduct regular cybersecurity risk assessment audits and encrypt and back up sensitive data. To protect individual personnel, conduct staff training to raise awareness and implement data security organisational policies such as a password policy to force personnel to have robust, secure and unique passwords which are changed often.

We also highly recommend preparing a comprehensive data breach response plan. This should outline your organisation’s strategy for identifying, containing, assessing and managing a data breach incident. These plans help limit the consequences of a data breach and support the confidence customers or clients will have in your ability to manage their information.

This plan should cover what constitutes a data breach, a strategy for containing, assessing and managing breaches, the roles and responsibilities of key personnel within the organisation, how to document the data breach and the review and evaluation of how to prevent a similar breach in the future.  

Our team has extensive knowledge in the privacy and data handling legal sector. If you or your business needs advice on a potential notifiable data breach that may have occurred or would like us to prepare a comprehensive data breach response plan for your organisation, please don’t hesitate to contact a member of our Bolter team here.

Filed Under: Intellectual Property & Trade Marks

Primary Sidebar

About Bolter

Bolter is the law firm for startups. We are a law firm for the solo individuals, the side hustles, the entrepreneurs and the corporates.

Recent Posts

  • Director ID number requirements now in place
  • I’m only a startup, should I be worried about my obligations under the Privacy Act?
  • Bolter $50,000 Grant Winner Announced
  • What is a Company Secretary?
  • Do I Need A Company Seal?

Make it happen today

Get in touch with the team at Bolter and turn your great idea into a great business.

Contact Us

Footer

hello@bolter.com.au

📞 1300 BOLTER

CGLaw (Trading) Pty Ltd
ACN 143 426 028
trading as Bolter Make It Happen
ABN 89 143 426 028
BRISBANE | TOOWOOMBA

Liability limited by a scheme approved under professional standards legislation.

  • About
    • Our Origin
    • Join Us
  • Services
    • Commercial and Company Law
    • Intellectual Property & Trade Marks
    • Tax, Structuring and Planning
    • Workplace and Employment Law
    • Minor Disputes & Dispute Resolution
    • Property & Leasing
    • Startup Lawyer FAQ
  • Little Giant Startup Grant
    • About
    • 2021 Finalists
    • 2021 Winner
  • Legal Documents
    • Our Packs
    • BoltDocs
  • Resources
    • First Strike Blog
    • Business Plan Template
  • Contact

Resources

Startup Lawyers

Acknowledgement of Country:

We acknowledge the traditional custodians of Australia and their continuing connection to land, sea and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Follow us.

  • Email
  • Facebook
  • Instagram
  • LinkedIn
  • Twitter

Sign up for the latest news and updates.

Copyright © 2022 CG Law (Trading) Pty Ltd ACN 143 426 028 trading as Bolter Make it Happen ABN 89 143 426 028.
Liability limited by a scheme approved under Professional Standards Legislation.
Legal practitioners employed by CG Law (Trading) Pty Ltd are members of the scheme. Use of this website is subject to our Privacy Policy and Terms of Use.
Site by Kingfisher