It's an increasingly common problem. Organisations hold masses of personal information on their clients, customers and, well, everyone. It takes as little as an inadvertent hit on send or as much as a targeted cyberattack to breach the Privacy Act and to unlawfully disclose that personal information.
In days gone by, organisations who had breached the Act, whether unintentionally or otherwise, could make the call on whether they confessed their sins to the Privacy Commissioner and customers. Those days are (soon to be) gone.
However, the obligation to fess up is not that mandatory. Like every aspect of the privacy laws, compliance is a fairly grey area: it's all about what's reasonable. Organisations must report unauthorised access to, disclosure of, or loss of, personal information they hold in circumstances where the disclosure is likely to result in serious harm to any of the individuals to whom the information relates. When an entity becomes aware (or suspects) that a breach has occurred, it must take all reasonable steps to decide within 30 days whether it needs to notify.
In pleasant news for lawyers everywhere, there is lots of wriggle room in the phrase `likely to result in serious harm'. There are various factors that should be taken into account when deciding whether the breach may cause `serious harm', and guidance from the Commissioner suggests that could include physical, psychological, emotional, economic and financial harm as well as harm to an individual's reputation.
However, if you're able to take action post breach which ensures that no serious harm will result for any individuals, then you're in the clear and don't need to notify.
Here are the things you need to do:
1. Prepare a data breach response plan, so you're all set if disaster strikes. This should include who will determine whether there is a likely risk of serious harm, and the steps you can take to limit the damage (remembering the get out of jail free card if you can avoid serious harm); and
2. Review your contracts with third parties who hold your data. They must agree to notify you of any data breach, as you need to be able to decide whether an eligible breach has occurred. Also, ensure those third parties agree to cooperate with you in investigating the breach and controlling the fallout.
The new regime comes into effect on 22 February 2018, which means you've got just enough time to get yourself sorted.