I am not sure if you are like me, and stockpile books for those wonderful days over Christmas where you get to read. The bliss……
But something always happens that ruins that, so let me apologise up front: I am sorry.
In the past 12 months highly publicised data breaches like those at Uber, David Jones, Equifax and Kmart have given us an insight into how widespread the issue is, and the reputational damage these incidents pose. You might have also noticed the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 which has establishes a Notifiable Data Breaches (NDB) scheme in Australia. This little gem which kicks in on February 22, 2018, requires organisations covered by the Australian Privacy Act 1988 (Privacy Act) to:
- notify any individual/s likely to be at risk of serious harm by a data breach,
- outline recommendations that those individuals should take in response to the data breach, and
- notify the Australian Information Commissioner (Commissioner) of the breach.
What should you do?
As they say: 'prevention is better than cure', therefore it would be prudent to review where personal information is being stored and the practices, procedures and systems for securing same. Your challenge isn't simply theft of data as mentioned above, but may include any accidental transfer of information.
The guide provided by the Office of the Australian Information Commissioner (OAIC) outlines some common examples:
- Lost or stolen laptops, removable storage devices, or paper records containing personal information;
- Hard disk drives and other digital storage media (integrated in other devices, for example, multifunction printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased;
- Databases containing personal information being ‘hacked' into or otherwise illegally accessed by individuals outside of the agency or organisation;
- Employees accessing or disclosing personal information outside the requirements or authorisation of their employment;
- Paper records stolen from insecure recycling or garbage bins;
- An agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address; and
- An individual deceiving an agency or organisation into improperly releasing the personal information of another person. 1
It’s a lot to think about.
From a functionality point of view, did you know that XPLAN recently released iAssist (Version 2.23). iAssist enables us to give you better and faster support on your own site with no interruption to your user’s session. You can allow IRESS support staff to temporarily gain access to your site in place of an existing user, being able to see exactly what the user sees. Its one of the many changes we have been introducing to better support our clients and ensure we fully comply with legislative and regulatory change around the globe.
Some additional things to think about……
- Is personal information being synchronised to other systems?
- Do your staff have more capabilities than they should?
- Do they really need to be able to Xport or export data?
- What clients can they see, and what do they need to see?
- Who can see or edit Tax File Numbers?
- Are you storing confidential data like driver’s licences appropriately?
- Do you share logins (ie. are audit trails compromised as you cannot know who has actually accessed the system)?
- Are you 'locking' your PC/Laptop/device when you walk away from your desk?
- What are the protocols for visitors in the office?
- How do you destroy paper copies of documents (shredding, security bins, etc.)?
- If staff are taking paper copies or USBs off site, what do they do if they lose it?
Your licensee, or compliance facilitator would also be great resources for information.
From an IRESS perspective, we have protocols relating to how we store and manage your data. You can speak with your Account Executive if you want additional ideas on how we can assist you with compliance.
Although this change is still a number of weeks away it may well not have been included in your planning (and you're not alone, the numerous discussions I've had on the topic with clients suggests this have snuck in under the radar). To assist, I have included lots of additional information. Hopefully, you will still get to the books that were in your reading list.