The waiting is over! Both Houses of Parliament have passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 unamended. The various Committees that reviewed the Bill raised little objection and it has progressed with bi-partisan support. Private sector and Commonwealth agencies who are subject to the Privacy Act 1988 (Cth) will now need to prepare for compliance with the new mandatory data breach notification scheme inserted as Part IIIC of the Act.
The operation of the scheme will commence automatically 12 months from becoming law by Royal Assent (a formality we expect will happen soon), if a date is not fixed by proclamation sooner.
New obligations: assessment and notification
You can find a more detailed overview of the key provisions of the Bill in our October 2016 Alert.
In summary, subject to certain exemptions, the scheme imposes new obligations on entities that are subject to the Privacy Act to:
- carry out a reasonable and expeditious assessment if they have reasonable grounds to suspect that there may have been an eligible data breach (and to take reasonable steps to complete that assessment within 30 days); and
- make the prescribed notifications (to the OAIC, and if practicable, to affected individuals) as soon as they are aware that there are reasonable grounds to believe that there has been an eligible data breach.
In the event of a suspected or actual data breach, entities should continue to comply with their data security obligations in APP 11.1 and follow the key steps recommended in the OAIC's voluntary Guide to handling personal information security breaches.
Entities should also start the process of incorporating their scheme assessment and notification obligations into existing their processes and procedures, so they take effect on an organisation-wide basis. They should also consider what other practices, procedures and systems they need to develop to enable them to comply with the scheme.
Ultimately, entities should have a tailored data breach incident response plan ready, which covers cyber and broader data security breach responses. This should be supported by relevant policies and procedures, and a dedicated and trained team drawn from legal, IT, communications and risk. This plan should be communicated to all staff, with appropriate training on what do it they suspect or become aware of a data breach or other cyber security incident. The plan should be tried and tested so that it can be implemented immediately. It should also be regularly updated.
Entities should also review:
- their insurance policies, to see if they are covered for data breach costs, claims and penalties and if not, consider purchasing appropriate cyber liability insurance; and
- the privacy and data security clauses in their contracts with third parties, to understand whether they support compliance with these new obligations and who should be allocated responsibility for the assessment and notification steps in any situation.