Small Business

Can you afford a Data Breach?

Last year, the average data breach cost an Australian business $1.99 million.

As well as the financial cost, your business might lose reputation, goodwill and customers and leak valuable information to the competition.

You might also breach the Privacy Act and Notifiable Data Breaches scheme.

Despite this, many businesses don't take the care they should. A recent Sydney audit found that 11% of commercial rubbish bins contained personal confidential information.

Can you afford to shred in-house?

A minimum wage staff member using a shredder for one hour each week costs your business over $1000 in staff time alone. That doesn't count the cost of buying or maintaining the shredder itself.

Financial, commercial and payroll paperwork is sensitive, so many businesses don't let their casuals and junior staff do the shredding. If a senior team member does it, shredding costs even more.

Do you need to shred?

If your business handles any personal or sensitive information on paper, you need to shred it when you're finished with it.

  • Staff or client name, address, telephone number, date of birth or other identifying information.
  • Staff or client health history or medical records.
  • Staff or client financial information.
  • Handwritten forms completed by client at their first appointment.
  • Handwritten notes about a client, a project or other work matters.
  • Letters with your business name and address on them.
  • Forms, contracts and legal documents.
  • Business bank statements and tax records.
  • Personnel records.
  • Pay slips.

Are you breaking the law?

The Privacy Act 1988 applies to all businesses with annual turnover more than $3 million and to some other businesses. Penalties are up to $1.7 million for companies.

Australian Privacy Principle 11 requires businesses covered by the Privacy Act to take reasonable steps to destroy or de-identify personal information when they no longer need it. Throwing paperwork into a garbage or recycling bin is not good enough. It must be shredded or otherwise destroyed first.

As of February 2018, the Notifiable Data Breach scheme requires businesses to report data breaches to customers and the Office of the Australia Information Commissioner.

Your customers care about privacy

Protecting privacy is good for business. The Australian Information Commissioner's 2017 survey found that six in ten customers would avoid dealing with a company due to privacy concerns. Even if you're exempt from the Privacy Act, you should protect your customer's privacy. It's good business sense.

Health service providers have extra responsibilities

Most people consider their health and medical information to be highly sensitive. Privacy concerns about My Health Record are the tip of the iceberg.

Many health businesses aren't doing the right thing. A recent Sydney audit found a quarter of commercial rubbish bins at doctors’ offices contained personal medical information.

The Privacy Act has special provisions for health service providers. If your business provides a health service and holds health information, you're likely to be covered.

And it's not just doctors that are covered. The following are 'health service providers' under the Privacy Act:

  • Private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals.
  • Complementary therapists, such as naturopaths and chiropractors.
  • Gyms and weight loss clinics.
  • Child care centres and private schools.

Do your customers prefer paper?

The world is going digital, but we're not there yet. The average Australian office worker bins around 10,000 sheets of A4 paper each year.

2016 survey found that 74% of Australians prefer reading print on paper rather than on a screen.

According to the Australian Bureau of Statistics, around one million Australians have never accessed the internet. Around one in seven households don't have any internet access at all. Two in five people say they need paper records because they don't have a reliable internet connection.

If you go digital, don't leave your customers behind.

What if you already have a paper shredder?

If your business already has a shredder and you can afford the time and cost to run it, make sure you use it properly.

  • The shredder must be in safe working order.
  • Make sure it meets Security Level Three or higher, which means it shreds paper into strips no more than 2mm wide or cross-cut pieces less than 320mm2
  • Staff should be properly trained and given enough time to use the shredder.
  • Staff should not be asked to shred documents that they would not usually be shown, such as confidential client material, HR paperwork or payroll information.
  • Make sure employees and contractors shred paperwork taken offsite. Staff who take work home and contractors working offsite must bring all paperwork back into the office to shred it. A recent data breach involving hundreds of medical records dumped in public bins shows the risks.