Small Business

Can you afford a Data Breach?

In 2016, the average data breach cost an Australian business $2.64 million.

As well as the financial cost, your business might lose reputation, goodwill and customers and leak valuable information to the competition.

You might also breach the Privacy Act.

Despite this, many businesses don't take the care they should. A recent Sydney audit found that 11% of commercial rubbish bins contained personal confidential information.

Can you afford to shred in-house?

A minimum wage staff member using a shredder for one hour each week costs your business over $1000 in staff time alone. That doesn't count the cost of buying or maintaining the shredder itself.

Financial, commercial and payroll paperwork is sensitive, so many businesses don't let their casuals and junior staff do the shredding. If a senior team member does it, it costs costs even more.

Do you need shredding?

If your business handles any personal or sensitive information on paper, you need to shred it.

  • Staff or client name, address, telephone number, date of birth or other identifying information.
  • Staff or client health history or medical records.
  • Staff or client financial information.
  • Handwritten forms completed by client at their first appointment.
  • Handwritten notes about a client, a project or other work matters.
  • Letters with your business name and address on them.
  • Forms, contracts and legal documents.
  • Business bank statements and tax records.
  • Personnel records.
  • Pay slips.
     

Are you breaking the law?

The Privacy Act 1988 applies to all businesses with annual turnover more than $3 million and to some other businesses. Penalties are up to $1.7 million for companies.

Australian Privacy Principle 11 requires businesses covered by the Privacy Act to take reasonable steps to destroy or de-identify personal information when they no longer need it. Throwing paperwork into a garbage or recycling bin is not good enough. It must be shredded or otherwise destroyed first.

From February 2018, the Notifiable Data Breach scheme will require businesses to report data breaches to customers who are affected, as well as to the Office of the Australia Information Commissioner.

Your customers care about privacy

Protecting privacy is good for business. The Australian Information Commissioner's 2017 survey found that six in ten customers would avoid dealing with a company due to privacy concerns. This means that even if the Privacy Act doesn't apply to your business, you should take steps to protect customer privacy.

Health service providers have extra responsibilities

Most people consider their health and medical information to be highly sensitive. Eight in ten Australians trust their health service providers.

But data shows many aren't trustworthy. A recent Sydney audit found a quarter of commercial rubbish bins at doctors’ offices contained personal medical information.

The Privacy Act has special provisions for health service providers. If your business provides a health service and holds health information, you're likely to be covered.

And it's not just doctors that are covered. The following are 'health service providers' under the Privacy Act:

  • Private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals.
  • Complementary therapists, such as naturopaths and chiropractors.
  • Gyms and weight loss clinics.
  • Child care centres and private schools.
     

Do your customers prefer paper?

The world is going digital, but we're not there yet. The average Australian office worker uses around 10,000 sheets of A4 paper each year.

A 2016 survey found that 74% of Australians prefer reading print on paper rather than on a screen.

According to the Australian Bureau of Statistics, around one million Australians have never accessed the internet. Around one in seven households don't have any internet access at all. Two in five people say they need paper records because they don't have a reliable internet connection.

If you go digital, don't leave your customers behind.

What if you already have a paper shredder?

If your business already has a shredder and you can afford the time to run it, make sure you use it properly.

  • The shredder must be in safe working order.
  • Make sure it meets Security Level Three or higher, which means it shreds paper into strips no more than 2mm wide or cross-cut pieces less than 320mm2
  • Staff should be properly trained and given enough time to use the shredder.
  • Staff should not be asked to shred documents that they would not usually be shown, such as confidential client material, HR paperwork or payroll information.
  • Make sure employees and contractors shred paperwork taken offsite. Staff who take work home and contractors working offsite must bring all paperwork back into the office to shred it. A recent data breach involving hundreds of medical records dumped in public bins shows the risks.