ber, Ashley Madison, Equifax: these brands are known for ride hailing, infidelity and credit scores respectively, but also for the exposure of customer information.
As of today, many businesses that operate in Australia are subject to the country’s new notifiable data breaches scheme.
Lose a hard drive? Give an unauthorised person patient files? In certain circumstances, companies will have to tell the Office of the Australian Information Commissioner (OAIC) and any individual affected if personal data are lost, stolen or leaked.
If you use any services that collect details about you — from your birth date to your shoe size — here is what you need to know.
When is it personal?
Certain companies or government agencies must disclose a breach if the data includes personal information that is likely to result in serious harm.
So, what is “personal information”? Think of it as any information about a person that would identify them or allow them to be reasonably identifiable.
“It covers a broad range of information that exceed name, address — the really obvious ones,” explained Australian Privacy Commissioner Timothy Pilgrim.
This term is purposefully flexible, agreed Anna Johnston, the director of consultancy firm Salinger Privacy.
Flexibility is important because new technologies, such as machine learning algorithms, are increasingly able to re-identify data that may appear anonymous.
For example, something as simple as an IP address — essentially, your computer’s internet street address — could be used to identify you if combined with another data set that included your birthdate and internet habits.
Is the breach ‘likely to result in serious harm’?
If a data breach involves personal information, it must be disclosed if the breach is likely to result in “serious harm” to any affected individual.
This is not simply the annoyance of getting a new credit card if your number is stolen — “serious physical, psychological, emotional, financial, or reputational harm” are all included.
Consider the situation of a domestic violence survivor or a family court judge, for instance.
“There are lots of different people … who would be placed at much greater risk of harm if their home address or their history of movement — geolocation data — was exposed versus simply a credit card number,” Ms Johnston explained.
View Full Article