Until now, Australia did not have a mandatory data breach notification requirement. The Office of the Australian Information Commissioner (OAIC) simply encouraged entities to notify it of data breaches – the regime was entirely voluntary.
The Privacy Amendment Act will make it a legal requirement for entities regulated by the Privacy Act 1988 (Cth) to notify the OAIC and affected individuals of ‘eligible data breaches’ as soon as they become aware that there are reasonable grounds to believe such a breach has occurred (unless an exception applies). All APP entities (including credit providers and credit reporting bodies) are required to comply with the new regime.
‘Eligible data breaches’ and ‘serious harm’
An ‘eligible data breach’ warranting notification occurs if:
- a reasonable person would conclude that the access or disclosure would be likely to result in ‘serious harm’ to any of the individuals to whom the information relates.
(i) there is unauthorised access to, or unauthorised disclosure of, information held by an organisation; or
(ii) information is lost in circumstances where there is likely to be unauthorised access to or unauthorised disclosure of information; and
The Privacy Amendment Act stipulates several factors relevant in determining whether access to, or disclosure, of information is likely to result in ‘serious harm’, including: the kind of information; the sensitivity of the information; the person/s who have obtained the information; and the nature of the potential harm to affected person/s.
Requirement to perform ‘reasonable and expeditious’ assessment
Entities that have reasonable grounds to suspect that an eligible data breach has occurred have an obligation to carry out a ‘reasonable and expeditious’ assessment of the suspected data breach. This assessment must be undertaken within 30 days of first becoming aware of the suspected data breach.
As soon as becoming aware that there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach by the organisation, the organisation must, at a minimum, take the following steps:
- Prepare a statement setting out:
- the organisation’s identify and contact details;
- a description of the breach;
- the kind/s of information concerned; and
- recommendations about steps that individuals should do in response to the breach.
What are the exceptions?
Not all data breaches will require a mandatory notification obligation. There are a number of exceptions to the mandatory notification regime. These include:
- if an organisation has taken remedial action to address potential harm to individuals that may arise due to a relevant data breach before any serious harm is caused to individuals to whom the information relates, the mandatory notification obligations will not apply;
- if an organisation prepares a statement, after an eligible data breach, but that eligible data breach was caused by another organisation, those other entities are not required to prepare a statement;
- where the notification is inconsistent with a secrecy provision in another law; and
- where the organisation is already required to disclose the breach pursuant to the My Healthy Records Act 2012 (Cth).
What does this mean for Australian entities?
Under the new regime, where an organisation breaches a mandatory notification requirement, that contravention may amount to an ‘interference’ with the privacy of an individual. As such, this may result in the imposition of a civil penalty under the Privacy Act.
Currently the maximum civil penalty is AU$360,000 for individuals and AU$1.8 million for corporate entities.
The OAIC expects all entities to have a data breach response plan as part of their ongoing privacy obligations and as part of the new regime. A data breach response plan, forms part of having robust and effective privacy practices, and provides the ability to respond quickly.
A data breach response plan should include:
- the steps and actions staff should take in the event of a breach or suspected breach;
- reporting lines if staff suspect a data breach;
- the recording of data breaches;
- means for identifying and addressing anything that contributed to the breach; and
- systems for a post-breach review and assessment of your organisation’s response to the data breach.
What steps should you be taking right now?
There are a number of things that you should be doing right now to prepare for the new reporting obligations and also minimise the harm that can arise from a cyber-attack. These include:
- Review your practices, procedures and systems for securing personal information, and update where necessary to ensure you know how to respond, and when.
- Conduct training on privacy laws and the notification requirements of the new regime so that all staff, management and board members are aware of what’s involved, what the consequences of non-reporting are and when reports need to be prepared.
- Review your contracts with third party contractors to ensure that your business is adequately protected in the event of a serious data breach, including contractual mechanisms to monitor and alert you of a serious data breach and an indemnity for failure to do so.
- Prepare or update your Data Breach Response Plan to ensure your business is able to respond quickly to serious data breaches in the immediate period after an attack.