This week in review - our Blog

What do new data breach laws mean for SMSF service providers?

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
 

The Australian Privacy Amendment (Notification Data Breaches) Act 2017 that comes into effect on 22 February 2018 will have considerable impact on the SMSF industry.


This legislation requires reporting of data breaches that are likely to result in serious harm to any individual and applies to all organisations that hold sensitive data such TFN’s, as well as all organisations with an annual turnover of $3 million or more.

Furthermore, if you are an SMSF advisor using offshore SMSF services and the administrator that you’re using is impacted by a data breach, you are liable in Australia to report the breach on their behalf.

Risks of offshore SMSF services and data breach reporting
This raises some important considerations for SMSF specialists outsourcing services to an offshore supplier. Your contractors need to disclose to you if a data breach has occurred as you are required by law to disclose the breach in Australia. Does this mean that your contractual arrangements with suppliers need to be clear on assigning responsibility to your overseas supplier to inform you of any data breaches that occur?

A responsible approach to data security
While both our practice and our advice at SaulSMSF is to use providers who conduct all work here in Australia, if you do decide to use an offshore supplier, are you confident that they have strong security practices in place? Is reasonable effort made to protect data?

What does reporting of a data breach entail?
The legislations requires that when a breach has occurred, the organisation must:

  1. Prepare a statement.
  2. Provide a copy of statement to the Commissioner.
  3. Immediately after providing the statement, notify each individual to whom the information relates to, or who are at risk.
  4. If this is not possible, then the entity must:
    - Publish a copy of the statement on the website, and
    - Take reasonable steps to publicise the contents of the statement.

The issue of mandatory reporting of data breaches increases the complexity and risks of outsourcing SMSF administration overseas. Of course the costs of falling foul of the legislation greatly outweigh the savings of “too cheap” administration.

As Australia’s most trusted independent SMSF auditor, we offer quality audits all undertaken here in Australia, giving greater control over data security. Please contact us if you would like further advice on this issue.