Bidhive logo

How to comply with new data breach notification laws

January 4, 2018

New data protection clauses are likely to feature in future tender documentation. Is your company prepared?

From 22 February 2018 organisations in Australia will be faced with a new risk profile around compliance following updates to the Privacy Act 1988 (Cth).

The changes require agencies and organisations (with an annual turnover greater than $3 million) that hold personal information to report by law to the Office of the Australian Information Commissioner (OAIC) on actual or suspected breaches of data security.

The definition of a suspected beach is where there is either unauthorised access to, or disclosure of, personal information (including some deemed forms of personal information), or loss of information that is likely to lead to unauthorised access or disclosure (breach), and that breach would lead a reasonable person to conclude that it is likely to result in serious harm to the affected individuals. Harm can take many forms, including physical, emotional, reputational or financial.

Australia is the latest jurisdiction to join the global movement to regulate data protection.  In the US, 47 of the 50 states have their own differing requirements and definitions around data breaches, while the General Data Protection Regulation (GDPR) will introduce, in May 2018, a set of rules around organisations based in, or which retain or use data of EU citizens. Examples of this data include:

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation.

What businesses should be doing to comply

It is important for businesses to demonstrate compliance with the laws by implementing internal processes that meet both assessment and notification requirements, including staff training around the new laws.

To ensure you are operationally as well as ‘tender ready’ for these new laws, organisations are strongly advised to consider, and document, how they manage risk to contain, evaluate, notify and prevent data privacy breaches.

Key considerations include (but are not limited to):

  • Processes for auditing and updating of client and customer data (eg. keeping only what is essential to operations and ensuring information is encrypted and secured)
  • An organisational chart and defined role/s of in-house or external resources responsible for management, oversight and action in case of a data breach (eg. technical forensics analyst, legal counsel and communications specialist)
  • Processes and (internal/external) systems in place around information assessments, containment of data detection breaches, data breach response planning, testing, reviews, updates and immediate action.

With consumers and businesses now more informed than ever, companies – not the hacker – need to be prepared to be blamed for lost data in the event of a breach. As stewards of data, companies that fail to comply with the new rules may face serious consequences. Prevention, transparency and responsiveness will no doubt be the new mandatory criterion around data privacy.

International trade agreements and competitive global bidding: What you need to know

For any capture or bid manager who has found themselves in a new role with a multinational or a company that conducts business internationally, understanding international trade agreements is essential.  These agreements have become game-changers for securing...

Is it OK for affiliated companies to bid against eachother?

The question of whether affiliate companies can bid against each other in procurement processes is complex. It requires understanding of legalities, procedures, and potential risks. While not inherently against the rules, transparency, clear internal guidelines, and a commitment to fair competition are key in navigating this issue.

Fears new procurement rules could lead to unregulated healthcare market

In its first major piece of primary legislation on health and care in England since the Health and Social Care Act 2012, a new health and care bill in the UK that would allow NHS bodies to award contracts for clinical care to private health care providers without competition has sparked fears that it could see a repeat of the contract scandals surrounding personal protective equipment and testing that occurred during the early stages of the COVID-19 pandemic.

COVID-19 procurement and corruption: The repercussions of emergency legislation

Current investigations into government purchasing under emergency conditions has illuminated common themes: red faces, red flags for corruption and unlawful behaviour. This includes massive gaps in record-keeping and over-spending on counterfeit products or dodgy contracts with friends and family.

Coronavirus and public procurement spend: the unreported costs

These are not normal times in procurement when there’s no competitive bidding or vetting process. Governments have acted quickly with an unprecedented outlay of fiscal spending to respond to the immediate effects of the COVID-19 crisis. But it hasn’t all gone to plan.

Slavery laws and their impact on business

New anti-slavery laws have been introduced to stamp out forced labour in supply chains. Does your company comply and how will they address this in their tender responses?

Share This