Last week saw the European Union introduce new General Data Protection Regulations (GDPR).
The Regulation seeks to create a harmonised data protection law framework across the EU and aims to give back to data subjects, control of their personal data, whilst imposing strict rules on those hosting and processing this data, anywhere in the world.
On a practical level, individuals will be able to demand companies reveal or delete the personal data they hold about them, and Regulators will be able to work collaboratively with the EU, rather than have to launch action independently. Maximum fines have increased in line with the new regulations, the maximum now 4% of the company’s global turnover, or 20 million Euro (approximately 31 million AUD).
The change has led to widespread changes for companies and provides more power to individuals. People can now withhold consent for certain uses of data, request access to personal information from data brokers, and delete their information from websites altogether.
For Australian businesses providing services to the EU, you’ll need to abide by the regulation, and here is some advice to help support you: https://www.oaic.gov.au/privacy/guidance-and-advice/australian-entities-and-the-eu-general-data-protection-regulation/
Even though Australian businesses aren’t necessarily yet required to abide by the EU regulation, let’s take a look at how your company can ensure it’s complying with best practice when it comes to data storage?
Fair Work Australia offers a checklist for best practice on workplace privacy.
-Is there a policy and practice on how employee personal information is collected and handled?
-If so, how is the policy and practice communicated to staff and how are people made aware of it? How is it made available to employees?
-Does the business only collect and retain information about employees that is necessary?
-Is personal information held by the business complete and up-to-date?
-Does the business retain personal information in a secure way?
-When providing information to a third party, has the business ensured that it has complied with its own privacy obligations? For example, if information is being provided to meet a lawful request, has the business only provided information that is necessary to comply with that request?
-Does the business have policies in place about use of electronic equipment which sets out appropriate personal and business use and which makes clear how the business monitors employee use of electronic equipment?
When it comes to the information that can be supplied to third parties, the rules are quite clear. In certain circumstances, an employer may need to disclose employee records.
A Fair Work Inspector can request information about employees, in order to make sure the business is meeting employment obligations. This falls under the Fair Work Act. Similarly, some government agencies can request information as part of a criminal investigation. The employer must verify that the agency has the power to request the information and seek consent from the candidate to provide the information. Permit holders may enter a business to investigate a suspected breach of the Fair Work Act or an industrial instrument. Whilst on the premises, the permit holder may ask to inspect or copy documents.
What happens when there is a breach of data? There’s recently been changes to the laws surrounding data breaches that you must understand. Enacted in February, the Notifiable Data Breaches scheme (NDB) introduced an obligation to notify any individuals involved in a data breach that may result in serious harm. Upon a data breach, agencies and organizations must undergo an assessment of whether the breach could cause serious harm. According to the Office of the Australian Information Commissioner, a data breach occurs when:
1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds (see, What is a ‘data breach’?)
2. This is likely to result in serious harm to one or more individuals (see, Is serious harm likely?), and
3.The entity has not been able to prevent the likely risk of serious harm with remedial action (see, Preventing serious harm with remedial action).For more information regarding what consists of a data breach, click here.Research from ServiceNow’s global report, Today’s State of Security Response: ‘Patch Work’ Demands Attention, obtained via ARN, suggests that over half of Australian businesses have experienced a data breach in the last 12 months. 48% of these were a result of a known security exploit, with a security patch available at the time of the breach.The best way to ensure that you are delivering best practice when it comes to privacy and security is to start with an audit. One of WorkPro’s partners Certex International (https://www.certex.com.au/) is a specialist in certification and offers various programs and support for companies to understand and implement robust standards. WorkPro has undertaken a privacy audit and implemented the recommendations, and is proud to be certified against the standard.
As a compliance specialist, WorkPro is committed to ensuring that we help users understand about Australian Privacy laws, including each Parties rights and responsibilities, and provide our users with confidence when it comes to securing their information.
The module is available as part of any WorkPro induction subscription. Something to explore?
WorkPro is also embarking on our latest round of functional updates. This includes new police check requirements, as part of the Federal Government identity security strategy and also the extension of our probity checks.
These updates have led us to introduce more sophisticated data protection protocols and the introduction of the option for a user to establish their own personal identity vault.
The vault invites candidates to safely and securely store their identity documents, rather than having to repeatedly upload them.
The vault uses military grade encryption for both transmitting and storing documents, which means that candidates can utilise and attach their identity documents across various checks within WorkPro.
Think about it. If a candidate is asked to complete a citizenship check and they upload an Australian Passport, (a) that information should be securely stored by (b) they should be able to use the identity for other checks.
By upload and storing in their vault, the identity is under lock and key, password protected by the candidate and protected using WorkPro’s security protocols, and the candidate can apply uploaded identity against another check to save time and effort.