Earlier this year the Privacy Act 1988 (Cth) was amended which brought into effect the new Australian Privacy Principles (APPs).
The APPs impose obligations on dealing with ‘personal information’. Personal information is information or an opinion about an identifiable person, or a reasonably identifiable person, regardless of whether the information or opinion is true or whether it is recorded in a material form. Some examples of personal information include a person’s name, email address, phone number and credit card details. Personal information also includes ‘sensitive information’, for example, information or an opinion about a person’s ethnic origin, religious beliefs or their health.
APP entities, including:
- individuals, bodies corporate (including companies and incorporated associations), partnerships and unincorporated associations with an annual turnover of $3 million or more; and
- agencies, for example a Department of State or bodies established or appointed for a purpose under Commonwealth legislation, must comply with the APPs.
Obligation to protect personal information
APP 11.1 requires APP entities that hold personal information to take steps that are reasonable in the circumstances to protect that personal information from misuse, interference, loss, unauthorised access, modification and disclosure. Breaches of this APP, often referred to as ‘data breaches’, are becoming increasingly common.
There is no legal requirement to disclose a data breach to affected persons or the Office of the Australian Information Commissioner (OAIC) under the Privacy Act. However, disclosure may be an important step for mitigating harm to persons affected by a data breach.
Ultimately it will be a decision for the APP entity whether or not it should notify affected persons of a data breach and this is difficult to determine. The OAIC published a revised guide to dealing with data breaches in August this year1. The revised guide contains four steps to consider in the event of a data breach, including guidance on whether there should be notification of the data breach.
In summary, the OAIC recommends that ‘if a data breach creates a real risk of serious harm to the individual, the affected individuals should be notified.’ 2
Factors that should be considered when determining if the breach creates a risk of serious harm to the affected persons include the type of personal information that has been disclosed, the extent of the data breach, the cause of the data breach (for example, was the data breach a result of criminal activity or a mistake by an employee), the persons that gained access to the personal information through the data breach, whether the personal information disclosed has been used and whether it is able to be returned or destroyed to ensure it is not used.
It is important to note that notification does not cure a breach of the APPs. APP entities should take appropriate steps to ensure that there are adequate systems in place and that staff have received sufficient training to ensure that the APP 11.1 is not breached.
Need some help?
The OAIC’s guide provides general guidance only.