From 22 February 2018 amendments to the Privacy Act 1988 will take effect and introduce a mandatory notification procedure for data breaches. Currently, there are no requirements to notify individuals affected by a data breach.
All entities which are bound by the Australian Privacy Principles will have new reporting obligations if there is an “eligible data breach”. Those entities will need to notify the Office of the Australian Information Commissioner (OAIC) and any parties who are “at risk” because of the breach.
An “eligible data breach” is either:
- unauthorised access or disclosure of information that a reasonable person would conclude is likely to result in serious harm to any individuals to whom the information relates; or
- information that is lost in circumstances where unauthorised access or disclosure of information is likely to occur and it can be reasonably concluded that such an outcome would result in serious harm to any of the individuals to whom the information relates.
To determine whether an individual is at risk of serious harm you will need to consider factors such as the sensitivity of the information, whether the information is protected by one or more security measures, the kind of persons who could obtain the information and the nature of the harm.
If you suspect there has been a data breach but you are not aware of the circumstances or whether it is actually an “eligible” data breach then you must carry out a reasonable and expeditious assessment within 30 days of becoming aware of the breach.
If there are reasonable grounds to believe there has been an eligible data breach then you need to notify the OAIC and the individuals whose data was affected or individuals who are at risk with:
- a description of what occurred
- the kinds of information concerned; and
- the recommended next steps that individuals affected should take in response to the data breach.
In some circumstances if you take action in response to the breach before any disclosure or serious harm occurs then the Act provides that it may not be an “eligible” data breach and you do not need to go through the notification steps.
Failure to abide by the investigation and notification regime will be an ‘interference with an individual’s privacy’ and therefore a breach of the Privacy Act. The OAIC may investigate, make a determination and pursue civil penalties against you for such a breach.
So what should you be doing?
- Consider whether your ICT security systems are sufficient to protect against the unauthorised release or disclosure of personal information;
- Review and update your internal policies and protocols to ensure that:
- you and your team can respond to actual or potential data breaches quickly; and
- you can conduct the necessary assessments within the timeframes required by the Privacy Act;
- Educate your staff on the changes to the Privacy Act and what they can be doing to mitigate the risk and help you respond if a breach occurs; and
- Update your privacy policies to include your notification processes.