Australia's mandatory notifiable data breaches scheme under the Privacy Act 1988 (Cth) is now in effect, with substantial penalties for non-compliance.
Organisations and Federal agencies subject to the Privacy Act must now provide notice as soon as practicable to the Office of the Australian Information Commissioner and affected individuals where there are reasonable grounds to believe that an "eligible data breach" has occurred (unless an exception applies). Relevantly:
- a data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, leaving the information on the bus);
- an eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure;
- serious harm, while undefined, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation; and
- serious harm will be likely if such harm is "more probable than not" having regard to a list of relevant matters to be included in Part IIIC. The matters include the sensitivity of the information, any security measures taken (such as encryption) and how easily those security measures could be overcome (for example, if the encryption key has also been accessed).
The three key actions you need to take (if you haven't already) are:
- audit your current information security processes and procedures to ensure they are adequate;
- prepare a data breach response plan (or update your current plan); and
- train the right officers and employees about responding to data breaches.
You can learn more about the scheme here, or contact your nearest privacy law expert to help you ensure you're ready to comply with it.