You will need to take extra care to safeguard the unauthorised access, loss or disclosure of personal information.

On 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) will take effect to introduce a new notifiable data breach scheme (NDB Scheme).

If you already have obligations under the Privacy Act 1988 (Cth) (Act) (including the Australian Privacy Principles (APPs)) to protect personal information, then the NDB Scheme will apply to you.

What are the new laws?

Under the NDB Scheme:

  1. if you experience a data breach that is likely to result in serious harm, you must notify the Australian Information Commissioner (Commissioner) and all affected individuals in relation to that data breach;
  2. if you suspect that you have experienced a data breach, you must quickly assess the situation to decide whether or not you have experienced a data breach that may require a notification;
  3. the Commissioner has wide powers to investigate compliance; and
  4. a failure to comply may result in fines of up to $2.1 million for corporations and $420,000 for other entities.

What should you do?

Generally, you need to ensure that you are complying with your existing obligations set out in the Act including by:

  • having a current and up-to-date privacy policy;
  • ensuring that you obtain all necessary consents, and that you make all relevant notifications, as required by the APPs; and
  • implementing personal information management systems, processes and procedures that comply with the requirements of the APPs.

Some specific tips that may assist you to comply with your obligations under the NDB Scheme include to:

  • review and update your privacy policy and personal information management systems, processes and procedures;
  • appoint a person (or team) to manage any incident response;
  • document a data breach response plan, including guidelines for making a notification; and
  • review your contractual arrangements where multiple parties handle personal information.