Categories: News and Resources

Katie Ferro


A fresh set of data protection rules have just kicked off for many Australian companies in the form of the Notifiable Data Breaches Act.

On the ground, the new data notification scheme could result in a number of scenarios. One, businesses who aren’t prepared will be scrambling to get their heads around the new rules before a worst-case scenario happens.

Or two, companies like ours, who have acknowledged and addressed cyber security issues will embrace the changes, having already implemented and constantly updated policies and procedures to protect client and personal data.

While similar laws have been enacted in the European Union and some states across the US, this is the first time that Australian companies will have to comply. As we have seen overseas, notification of data breaches have serious reputational and economic consequences for businesses, think Yahoo, LinkedIn, Target and more recently credit reporting agency Equifax. Added to this there is the impact on those whose personal data has been breached.

Under the new scheme businesses that are already subject to the Australian Privacy Principles, including market and social research firms, will need to comply along with businesses with an annual turnover of more than $3 million and Australian Government agencies.

If a data breach that is likely to result in “serious harm” is discovered, organisations will have to notify the Office of the Australian Commission (OAIC) as well as the affected individuals as soon as practicable after they become aware of a breach.

The Association of Market and Social Research Organisations (AMSRO) has been supporting members in the lead up to the new scheme with their guidelines, amongst other things, citing three examples of data breaches:

  • A device containing customers’ personal information is lost or stolen.
  • A database containing personal information is hacked.
  • Personal information is mistakenly provided to the wrong person.

There is no doubt that the start of the new laws and the publicity surrounding data breaches will impact businesses and the confidence of those who hand over their personal information.

As part of our ongoing commitment to protect our clients and the personal information provided to us by our research community, we have in place the following physical, electronic and managerial procedures, we:

  • Use appropriate encryption when collecting or transferring sensitive data.
  • Transfer all files using password protection.
  • Provide respondents with tips about protecting their privacy including reminders to close their browser when they have finished a user session.
  • Fully endorse and comply with the Australian Privacy Principles (APPs) in the Privacy Act (1988) in relation to the handling of personal information.
  • Comply with the Market and Social Research Privacy Code (2014), which sets out how the APPs are to be applied in relation to the collection, retention, use and disclosure of personal information in market and social research.
  • Are accredited with Market Research Industry Trustmark, which is a seal of endorsement that ensures AMSRO member companies are compliant with the highest ethical standards, particularly in regards to privacy. It also provides buyers of research the assurance that their data is protected.

A recent study from Hewett Packard indicated that almost half of all Australian SMEs with an annual turnover of AU$3 million did not feel they were prepared for the new laws.

Therefore, organisations need to ensure that they put as much focus on data security as they do in the utilisation of that data.

CRNRSTONE, formerly Stable Research, will continue to build on our policies and procedures to meet new digital security challenges, ensuring that our ongoing relationship with clients and research participants is key. And to help our Clients – please feel free to  Download our Cyber Checklist.