On the 22 February 2018 mandatory data breach notification laws came into effect imposing certain obligations on entities in responding to data breaches. This follows the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 in February last year. Entities which fail to adhere to the new regime may be subject to investigations or civil penalties of up to $2.1 million.
Under the new laws, entities must notify the Office of the Australian Information Commissioner (OAIC) and impacted individuals where an "eligible data breach" has occurred. An eligible data breach would occur where the loss, unauthorised access or disclosure of personal information is likely to result in serious harm to the individual. The legislation does not define "serious harm", however it is likely to include physical, psychological, emotional, financial and reputational harm.
Notification must be given to the OAIC and impacted individuals as soon as practicable after the entity becomes aware of the eligible data breach. As part of the notification, entities are required to prepare a statement for the OAIC and the individual which contains:
- the entity's identity and contact details;
- a description of the data breach;
- the kinds of information concerned;
- recommended steps to be taken by the individual; and
- the identity and contact details of other entities that may be involved.
The entity is not required to notify the OAIC or the individual if it has acted promptly to remediate a data breach before serious harm has occurred.
To assist your business in understanding its reporting obligations under the new law, please see our flowchart here, which outlines the steps to take where a potential data breach arises. Further information can be found on the OAIC website here.