With new privacy law changes coming into effect from 22 February 2018, all Australian business owners – including conveyancers – will need to implement changes to their practice in regard to their risk management procedures.
So what does this look like from a business perspective and how does it impact our customers?
First, there will be clear obligations to report any data breaches. The new laws incorporate all kinds of data – for example names, addresses, email addresses, genders, family members, financial information, tax file numbers, medical history and so on. Therefore, as previously, the personal information that a conveyancer needs to collect from you to assist with your property transaction must continue to be safely stored to prevent loss or unauthorised disclosure.
However in the event of a breach from hacking, loss or theft the breach must be reported and, if confirmed, you the consumer must be advised and provided with a recommendation of further steps to be taken. A statement outlining the breach must also be submitted by the conveyancer to the Office of the Australian Information Commissioner (OAIC).
The strengthening of these laws is designed to:
- Prevent data breaches of consumer personal information from being covered up
- Prevent financial, psychological, reputational or physical harm from the theft of personal information
- Prevent identity theft and crime
From a business perspective, procedures of storing personal data should be carefully reviewed to ensure it is well managed and includes security technology such as encryption, backups, restricted access, passwords and so on.
In addition, cyber insurance should now be something that is considered essential, which brings its own inherent safeguards – for example an excess on any claim for a business such as Tracey Warden Conveyancer would run into the thousands regardless of whether or not the company is found to have made an error. If there is an error and an assessment is required, as well as notification to consumers and the OAIC, the cost increases dramatically. This financial impact should certainly act as a deterrent to poor data security and storage.
The second aspect of the privacy laws (which does not come into effect until 25 May, 2018) is that a new law, the GDPR (General Data Protection Regulation), is introduced with global implications. This law applies to data stored or processed either in the EU or, outside the EU but impacting individuals within it, and signals the awareness in Australia of requirements for appointing a data protection officer, an individual’s right to be forgotten, and the right to data portability. This new law might be the source of another blog in May…
To conclude, the changes to the privacy laws are designed to protect you, the consumer. Recognising that customers are required more and more to provide personal data to access goods and services in our cyber economy, these laws ensure the organisations you are doing business with are protecting your personal information and, if not, they are held accountable.