The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) was enacted by Federal Parliament last year to establish a mandatory data breach notification scheme in Australia. The scheme will commence on 22 February 2018.
Who is affected by the scheme?
The scheme will apply to all entities required to comply with the Privacy Act (Cth) and the Australian Privacy Principles (APP entities).
APP entities include any businesses (including private sector and not-for-profit organisations) with an annual turnover of more than $3 million.
Credit reporting bodies, health service providers, businesses that trade in personal information, businesses that collect or hold tax file number information and some other organisations will also be covered by the Privacy Act (and will be subject to the notifiable date breach scheme), irrespective of whether they meet the $3 million annual turnover threshold.
What are your obligations?
Under the new regime, an entity will be required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable after becoming aware that there are reasonable grounds to believe an ‘eligible data breach’ has occurred. Eligible data breaches arise when:
- personal information held by the entity is lost or subjected to unauthorised access or disclosure (a ‘data breach’);
- the breach is likely to result in serious harm to individuals to whom the information relates; and
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
The concept of a ‘data breach’ is wide reaching. For example, it includes situations where:
- an employee leaves a device containing customers’ personal information on public transport;
- a database containing personal information is hacked externally or accessed by an unauthorised employee; and
- personal information is accidentally provided to the wrong person.
‘Serious harm’ is also intended to encompass a broad spectrum of harms including serious physical, psychological, emotional, financial, or reputational harm.
Whether a data breach is likely to result in serious harm will depend on numerous considerations. These include the type of personal information involved, the persons who have obtained the information, the sensitivity of the information, the security measures protecting the information, the circumstances of the data breach and the nature of the harm that may result. Serious harm is more likely if the information is ‘sensitive information’ or is commonly used for identity fraud. The likelihood of serious harm also increases where a greater number of individuals are affected by the data breach.
Importantly, the scheme relieves organisations of the need to notify the OAIC if they take prompt action to remedy a data breach and effectively avert the risk of serious harm. This highlights the importance of having strong plans and procedures in place to respond to data breaches when they arise.
How do you notify?
When an eligible data breach occurs, the organisation must provide a statement to the OAIC and notify individuals at risk of serious harm as soon as practicable. If it is impracticable to notify the affected individuals, the organisation must publish a copy of the statement on its website and take reasonable steps to bring its contents to the individuals’ attention.
The statement must include the following information:
- the identity and contact details of the organisation;
- a description of the data breach believed to have occurred;
- a description of the kinds of information concerned; and
- recommendations about the steps individuals should take to avoid or mitigate harm from the data breach.
What happens if you fail to comply?
Failure to notify the OAIC or affected individuals under the new regime may result in serious penalties., The legislation provides a maximum penalty of $360,000 for individuals and $1,800,000 for corporations.
The OAIC may also conduct investigations in respect of your organisation and seek other court orders, such as undertakings and declarations.
What should you do in preparation?
Organisations should review their practices for securing personal information and prepare data breach response plans in anticipation of these new provisions. In assessing whether an organisation has taken reasonable steps to protect personal information, the OAIC has indicated it will consider whether the organisation has prepared and implemented an effective data breach response plan.
Data breach response plans should cover the organisation’s strategy for assessing, managing and containing data breaches and outline the reporting lines for a suspected data breach. An appropriate data breach response plan can assist you to:
- meet your obligations under the Privacy Act;
- protect the important personal information you hold about your customers;
- respond to adverse media attention in the event of a data breach;
- reduce liability in legal action taken against you;
- protect your business reputation; and
- reinforce public confidence in your information handling capacity.
The key to complying with the new laws is to be proactive, both in securing personal information generally and in responding to any data breach that may arise.