The Notifiable Data Breach scheme, established by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), commenced on 22 February 2018. Broadly, the scheme provides that companies must take reasonable steps to notify all potentially affected individuals of an eligible data breach, and report the breach to the Office of the Australian Information Commissioner.
One month on from the commencement of the scheme, Svitzer Australia has reported that a notifiable data breach involving the personal information of approximately half of its employees. This breach is one of the first to be notified under the new laws.
This breach occurred over a period of nearly 11 months, and involved the auto-forward function which saw emails from three employee accounts being automatically forwarded to an external source. Investigations are currently being undertaken, but it has been confirmed that the leaked information may include employee information such as tax file numbers and superannuation details.
What is the risk?
Apart from the risk of business disruption; loss of faith by employees, customers and service providers; and potential claims by those affected, businesses operating in Australia now face significant penalties if they don't have in place sufficient systems to prevent, detect and report on such cyber security data breaches.
But these were employee records? Does this mean we cannot rely on the employee records exemption?
It is well established that the Privacy Act 1988 (Privacy Act) contains an exemption whereby the handling of personal information by a private sector employer does not trigger the application of the Privacy Act if it directly relates to an employee’s current or former employment relationship.
However, the question of whether employee records are exempt from the reach of notifiable data breaches is less clear.
In circumstances where personal information is not captured under the employee records exemption, the requirements under the Privacy Act must be complied with. For example, information in relation to prospective employees, independent contractors, work experience students or other volunteers will not be captured by the exemption.
Further, information which does not directly relate to an employee’s employment may also be captured by the Privacy Act.
The types of information disclosures which would not directly relate to an employee’s employment is a grey area, and caution should be exercised.
- Do not consider the employee records exemption as a blanket protection. If in doubt, seek further advice or notify!
- Organisations should be prepared in the event that a data breach occurs. Ensure your data breach policies and notification plans are up to date.