| by Tom Bloomfield and Tharun Kuppanda
In this update, we explore the next steps for a Listed Investment Company (LIC) now that mandatory breach reporting is law. This includes the appropriate policies and a Data Breach Response Plan.
On 22 February 2018, changes to the Privacy Act 1988 (Cth) came into force (Privacy Act). These changes are commonly referred to as the ‘Notifiable Data Breach Scheme’ (NDBS). Now an organisation, including a LIC, must notify individuals affected and the Office of the Australian Information Commissioner (OAIC) where there is a ‘notifiable data breach’.
More information on the changes and when a ’notifiable data breach’ occurs is available here.
This paper is intended to address the policies and procedures that need to be updated following the amendment to the act as well as the obligation to have an appropriate Data Breach Response Plan (DBRP).
The NDBS recognises that entities often hold personal information jointly. In the case of a LIC, this could mean that legal title to personal information is held by the LIC however the day to day possession of the information would be held by a third-party provider (e.g. Share Registry or Investor Relations Team).
Both the holder of the legal title of information and the third-party provider have obligations under the NDBS. However, compliance by one entity will be treated as compliance for both entities in relation to the NDBS. The OAIC recommends that compliance should be undertaken by the entity that has the most direct relationship with the individuals who could be impacted in the event of a data breach. However, the onus is on the holder of the legal title to the information to ensure appropriate safe guards are in place, as well as a DBRP, should a notifiable data breach occur.
The amendment to the Privacy Act places responsibilities on entities to consider their privacy obligations and have appropriate policies in place to address ‘knowledge gaps’, ‘deficiencies’ or ‘lax attitudes’ to privacy. If your LIC or Investment Manager holds an AFSL, greater scrutiny applies.
If an organisation has been tardy or lax in complying with the Australian Privacy Principles, it can reasonably be concluded that the entity is at a higher risk of a data breach occurring. The development of a policy or updating an existing policy provides an organisation an opportunity to address deficiencies and prioritise the Australian Privacy Principles (APP) contained in the Privacy Act.
The OAIC has provided a guide on developing a data breach response plan. The OAIC reaffirms that the faster an entity can respond to a data breach, the more likely it is to contain the data breach. A DBRP is essential in acting quickly and provides a framework or a checklist of tasks and next steps.
A DBRP is not mandatory, however it is a useful tool to ensure an entity is appropriately prepared to deal with the changes to the Privacy Act. Any plan should note that APP 11 requires the LIC to take ‘reasonable measures’ to protect personal information. Addressing the issue after a breach has occurred may be too late and the entity could face significant fines.
This update is prepared by the Company Secretarial Team at Boardroom Pty Limited. The update is designed to provide general information and is not designed to replace legal or tax advice or a detailed review of the subject matter nor is it intended to cover all circumstances.
Subscribe to our Newsletter and receive the latest industry updates on compliance.SUBSCRIBE