In this update, we explore the next steps for a Listed Investment Company (LIC) now that mandatory breach reporting is law. This includes the appropriate policies and a Data Breach Response Plan.
On 22 February 2018, changes to the Privacy Act 1988 (Cth) came into force (Privacy Act). These changes are commonly referred to as the ‘Notifiable Data Breach Scheme’ (NDBS). Now an organisation, including a LIC, must notify individuals affected and the Office of the Australian Information Commissioner (OAIC) where there is a ‘notifiable data breach’.
More information on the changes and when a ’notifiable data breach’ occurs is available here.
This paper is intended to address the policies and procedures that need to be updated following the amendment to the act as well as the obligation to have an appropriate Data Breach Response Plan (DBRP).
NDBS and LICs
The NDBS recognises that entities often hold personal information jointly. In the case of a LIC, this could mean that legal title to personal information is held by the LIC however the day to day possession of the information would be held by a third-party provider (e.g. Share Registry or Investor Relations Team).
Both the holder of the legal title of information and the third-party provider have obligations under the NDBS. However, compliance by one entity will be treated as compliance for both entities in relation to the NDBS. The OAIC recommends that compliance should be undertaken by the entity that has the most direct relationship with the individuals who could be impacted in the event of a data breach. However, the onus is on the holder of the legal title to the information to ensure appropriate safe guards are in place, as well as a DBRP, should a notifiable data breach occur.
The amendment to the Privacy Act places responsibilities on entities to consider their privacy obligations and have appropriate policies in place to address ‘knowledge gaps’, ‘deficiencies’ or ‘lax attitudes’ to privacy. If your LIC or Investment Manager holds an AFSL, greater scrutiny applies.
If an organisation has been tardy or lax in complying with the Australian Privacy Principles, it can reasonably be concluded that the entity is at a higher risk of a data breach occurring. The development of a policy or updating an existing policy provides an organisation an opportunity to address deficiencies and prioritise the Australian Privacy Principles (APP) contained in the Privacy Act.
The OAIC has provided a guide on developing a data breach response plan. The OAIC reaffirms that the faster an entity can respond to a data breach, the more likely it is to contain the data breach. A DBRP is essential in acting quickly and provides a framework or a checklist of tasks and next steps.
A DBRP is not mandatory, however it is a useful tool to ensure an entity is appropriately prepared to deal with the changes to the Privacy Act. Any plan should note that APP 11 requires the LIC to take ‘reasonable measures’ to protect personal information. Addressing the issue after a breach has occurred may be too late and the entity could face significant fines.
- LICs should identify all the ‘personal information’ they ‘hold’ as defined by the NDBS.
- Once personal information is identified, an LIC should ensure that the information is stored in accordance with best practice and if required seek advice on data/cyber security as appropriate.
- Review current privacy policies and ensure they are updated to account for changes to the Privacy Act.
- Prepare a DBRP.
- Ensure that your DBRP is communicated to all staff and relevant stakeholders. Consider whether training is appropriate.
- Where information is stored by third party providers:
- A contract review is required to ensure it addresses responsibility and responses should a data breach occur.
- Review and approve Third Party Provider’s Mandatory Data Breach Policy. This includes the definition of ‘data breach’ and ‘personal information’ to ensure compliance with your LIC’s policies.
- Review the DBRP of the Third-Party provider for consistency with your own DBRP.
- Conduct annual reviews.