Candidates will ask the question. “Where is my video interview and resume stored?”
Do you know the answer?
How safe are your candidates or employees data, does your provider meet Australian Privacy laws?
- Before an APP (Australian Privacy Principal) entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APP’s in relation to the information (APP 8.1).
- An APP entity that discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APP’s (s 16C).
This is just a summary of a couple of key points I found.
With important information such as resumes and videos it is important you do your research on the company your engaging. Are they storing you private information on price rather than focusing on security. Where is your data?
Below is a video which explains the basics.
The NDB scheme
Data breaches are common place in an increasingly digital world. New laws are in effect that will require thousands of Australian companies to notify individuals and the Government if they believe a data breach has occurred within their IT systems causing personal information to be compromised.
Previously high profile data breaches included Uber’s debacle with the personal information of reportedly 57 million Uber customers and drivers stolen along with Uber’s failure to disclose this massive breach for over a year, and the 2016 admission by the Red Cross that the personal data of over half a million Australian blood donors may have been compromised. These new laws are overdue and much needed to equip individuals with greater certainty in relation to the security of their personal information.
What is it?
Australia’s new mandatory data breach reporting laws come into effect on 22 February 2018. Known as the Notifiable Data Breaches (NDB) scheme, the new legislation will be contained within Part IIIC of the Privacy Act 1988 and largely mirror similar laws introduced in other countries including the USA.
Who does it apply to?
Any agency or organisation already subject to the Privacy Act (known as an APP entity). This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of at least $3 million, health service providers and more. Generally small business operators (including sole traders and unincorporated associations) with an annual turnover under $3 million will not be subject to the NDB scheme’s obligations. For more information click here.
What are the new obligations?
If the organisation incurs an “eligible data breach”, within 30 days it must notify individuals whose personal information is likely to result in serious harm due to the breach. The notification must include recommendations about the steps individuals should take in response to the breach. The organisation must also alert the Australian Information Commissioner of an eligible data breach. This can be done through an online form, the Notifiable Data Breach statement
An eligible data breach is one in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is “likely to result in serious harm to any of the individuals to whom the information relates”. Examples may include the hacking of a database containing personal information or personal information that is mistakenly provided to the wrong person. The scheme is not retrospective so if the breach occurred prior to 22 February 2018, even if it is discovered after this date, then it is not considered an eligible data breach for the purposes of this scheme.
The legislation distinguishes between notifiable and non-notifiable breaches. If an organisation can show that it has taken appropriate steps to mitigate the breach, then notification is not required.
What if I fail to report?
The consequences are potentially significant with a business that fails to report an eligible breach facing penalties of up to $360,000 for individuals and $1.8 million for organisations. For those affected, the release of personal names, email addresses and phone numbers may leave them susceptible to phishing attacks. Information such as driver’s licence numbers and bank account details could lead to fraud, identity theft and money laundering.
How often do data breaches occur?
Data breaches are frequent and have in the past often been covered up with those most effected having little to no knowledge that their personal information has been compromised.
In 2017 it was reported that more than 1 in 10 Australians potentially had personal information stolen in a security breach that ride-sharing company Uber allegedly covered up for over a year. It was revealed by Uber that the personal information of a staggering 57 million customers and drivers (including names, email addresses and mobile phone numbers) had been compromised in a data theft and the company paid US$100,000 to the perpetrators to delete the stolen data. It was not until November 2017 that Uber notified the Privacy Commissioner. There was a distinct failure to notify affected individuals and regulators.
Had Australia’s new mandatory data breach reporting laws been in effect, Uber would have been penalised for their failure to contact victims and report the breach to the Australian Information Commissioner.