The new notifiable data breach (NDB) regime comes into force on 22 February 2018. Clyde & Co's national cyber team has prepared a series of articles highlighting key issues businesses should consider before the NDB regime commences. In this article, we consider who must comply with the new laws.
The first and perhaps the most important step in preparing for the NDB regime is to determine whether it will apply to your business.
Broadly speaking, this requires an assessment of whether your business is an APP Entity, credit provider, credit reporting body or file number recipient.
However, this assessment needs to be made on an ongoing basis. Even if a business will not be required to comply with the notifiable data breach laws come 22 February 2018, this may change as it grows and its activities evolve.
Assessing whether your business is an APP Entity
Determining whether a business is an APP Entity can be deceptively tricky.
The term APP entity is defined in the Privacy Act broadly and captures 'agencies' and 'organisations'. Agencies include most Federal bodies whereas organisations capture private organisation whose annual turnover was $3 million or more in the previous financial year. This is even if its revenue fluctuates.
The basic threshold test for an 'organisation' is quite simple. But there are certain organisations which will be APP entities regardless of their turnover. These include:
- entities that provide a health service and hold any health information except in an employee record;
- entities that disclose personal information about another individual to anyone else for a benefit, service or advantage;
- entities that provide a benefit, service or advantage to collect personal information about another individual from anyone else;
- a contracted service provider for a Commonwealth contract;
- any credit reporting body; and
- businesses that are related to a business that is covered by the Privacy Act.
Determining whether these exceptions apply can be difficult, and the Office of the Australian Information Commissioner has pushed for a broad interpretation of these categories.
For example, the Information Commissioner has released non-binding guidance stating that entities may provide a health service under the Privacy Act even if this is not its primary activity. This means that health service providers may include traditional providers such as hospitals and medical practitioners as well as gyms, child care centres and private schools.
Similarly, we consider it likely that the meaning of 'benefit, service or advantage' will also be interpreted broadly. For example, the Information Commissioner considers that this exception would capture an entity that sells personal information to another body for the purpose of direct marketing.
Businesses should consider whether any of these exclusions apply to them as it may mean that they will need to comply with the NDB regime even if their revenue is well below AUD 3 million.
Regarding Agencies, the definition generally only extends to Federal Government bodies. This means that, aside from State Governments Departments, some bodies which aren't APP Entities include local councils, public schools, public universities and public hospitals. These bodies, however, often have obligations under their State's respective privacy legislation.
Other data notification regimes
The notifiable data breach regime under the Privacy Act is not the only source of mandatory reporting in Australia, nor is it the only major change which might affect Australian businesses in 2018.
The NDB regime under the Privacy Act will not affect the operation of other existing mandatory reporting regimes, such as that under the My Health Records Act 2012 (Cth) or the continuous disclosure obligations on ASX listed entities under Chapter 3 of the ASX Listing Rules.
Further afield, the European Union General Data Protection Regulation (GDPR) also comes into effect from 25 May 2018. This new law may apply to businesses which have an establishment in the EU, offers goods and services to, or monitors behaviour of, individuals in the EU. The GDPR contains a data breach notification regime that is stricter than the incoming NDB regime under the Privacy Act, and enforcement powers which are significantly more severe. Under the GDPR, administrative fines of up to GBP 20 million or 4% of annual worldwide turnover (which is higher) can be imposed on certain types of contraventions.
The OAIC has published guidance for Australian businesses on the GDPR requirements and has recommended organisations assess whether the GDPR may apply to them, and if so, take steps to implement any necessary changes to ensure compliance. The GDPR is also only one of a number of cross jurisdiction privacy regimes that may capture Australian organisations.
If organisations are uncertain as to whether the NDB, GDPR or other regimes may capture them we recommend seeking legal advice. Clyde & Co's global cyber team has published guidance on the obligations under the GDPR which can be found here.