Welcome to 2018! There are 2 big changes in 2018 that may affect you and your business. Without wanting to panic you, big fines may apply if your business (and your employees) don’t abide by these new laws.
They are:
1. Single Touch Payroll (STP)
2. Notifiable Data Breaches (NDB)
Single Touch Payroll
STP is a reporting change for employers.
It means employers will report payments such as salaries and wages, pay as you go (PAYG) withholding and super information to the ATO directly from their payroll software at the same time as they pay their employees.
The introduction of STP for employers with more than 20 employees will start on 1 July 2018, while STP for employers with 19 or less employees will begin on 1 July 2019.
ACTION STEP: Check your Payroll Software. Does it automatically update for STP, or do you need to update it?
The majority of our clients are using Xero for accounting and payroll, and Xero will be automatically updated for STP.
Notifiable Data Breaches
The NDB scheme will apply to businesses and agencies that the Privacy Act requires to take steps to secure certain categories of personal information.
This includes business and not-for-profit organisations with an annual turnover of $3 million or more, and for any business that provides health services or that trades in personal information.
Mandatory data breach notification is a legal requirement designed to protect the individuals affected by a data breach so that they may take the necessary steps and measures to protect themselves from any harm or damage. Notifying affected individuals is good privacy practice, as it gives each person the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency and openness.
The mandatory data breach notification scheme being introduced will require entities to promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an “eligible data breach”.
Examples of a data breach would include and not be limited to:
- Loss of a computer or data storage device containing personal information
- Unauthorised access to personal information as a result of a hacking attack or data breach
- Employees or contractors accessing or disclosing personal information outside the bounds of their employment
- Emailing, sending or simply providing personal information to the incorrect people
The NDB scheme will commence on 22 February 2018 and will require businesses to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of a data breach.
Individuals and businesses that fail to comply with the notifications rules risk being fined up to $340,000 and $1.7 million respectively.
ACTION STEP: You need to take “reasonable steps” (as defined by OAIC) to ensure the security of any personal information held by your business.
This means ensuring all employees are aware of these new laws and don’t do anything that may result in your business being fined a large amount!
Reasonable steps would include:
- Performing or conducting Privacy Impact Assessments (PIA)
- Implementing Privacy by design principles
- Performing information security risk assessments
- Creating and maintaining a Privacy Policy
- Having a comprehensive and up to date set of information security policies
- Restricting physical and logical access to personal information on a “need-to-know” basis
- Keeping your software up to date and current
- Employing multi factor authentication
- Configuring your systems for security
- Employing end point security software
- Security monitoring tools to detect breaches
- Using network security tools
- Penetration testing exercises
- Vulnerability assessments
- Having a data breach response process