Summary

On 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect.

Under the new requirements, entities that are bound by the Privacy Act 1988 (Privacy Act), known as "APP entities", will be obliged to notify the Privacy Commissioner and affected customers of any "eligible data breach" as soon as practicable after becoming aware of the occurrence. Where an APP entity merely suspects that its data has been breached, it will have 30 days to conduct an investigation before it must report.

The Commissioner has released an updated guidance: Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth).(https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-) preparation-and-response

In this eBulletin we look at what makes an "eligible breach" and what you should do if your business is bound by the Privacy Act.

Introduction

On 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect.

Under the new requirements, entities that are bound by the Privacy Act 1988 (Privacy Act), known as "APP entities", will be obliged to notify the Privacy Commissioner and affected customers of any "eligible data breach" as soon as practicable after becoming aware of the occurrence. Where an APP entity merely suspects that its data has been breached, it will have 30 days to conduct an investigation before it must report.

The Commissioner has released an updated guidance: Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth).(https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-) preparation-and-response

In this eBulletin we look at what makes an "eligible breach" and what you should do if your business is bound by the Privacy Act.

Australian privacy principles

The Act creates 13 Australian Privacy Principles (APPs), which apply to both Commonwealth agencies and private sector organisations. The APPs outline standards, rights and obligations in relation to the collection, storage, use and disclosure of personal information. They replace the 10 National Privacy Principles (previously applying to the private sector) and the 11 Information Privacy Principles (previously applying to the public sector).

Enhanced powers of the Information Commissioner

The Act also significantly expands the functions and powers of the Information Commissioner. Under the Act, the Commissioner has greater powers in terms of resolving complaints, conducting audits and investigations and promoting compliance with privacy obligations. These amendments allow the Commissioner to monitor organisations for the purpose of ensuring that any personal information held is not used or disclosed improperly.

In particular, the Commissioner is able to make inquiries of people other than the respondent to a complaint, and when making a determination, the Commissioner can make any order that is considered necessary or appropriate. In the event of a breach of the Privacy Act, the Commissioner is able to accept an enforceable undertaking, which if breached, can be enforced in the Federal Court or Federal Magistrates' Court.

Bottom line

The Act is now in effect and organisations need to review their procedures for collecting, using and disclosing personal information to ensure compliance with the new requirements.

These amendments represent only the first of a two-stage reform process, and organisations that hold a significant amount of personal information should continue to monitor developments in this area.