Businesses operating in Australia that handle personal information will soon need to notify affected individuals and the Australian Information Commissioner of serious data breaches under a new mandatory notification scheme.
On 13 February 2017, the Australian Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill). Years in the making and after numerous iterations, the Bill amends the Privacy Act 1988 (Cth) (the Privacy Act) to introduce a system for the reporting of serious data breaches involving personal information (the Notification Scheme).
The Act is expected to come into effect in the next 12 months. It is important that your organisation is prepared for the introduction of the Notification Scheme and is able to comply with its requirements.
In particular, we recommend that your organisation take this time to:
All entities currently subject to the Australian Privacy Principles (APPs) - such as Australian private sector organisations, most Federal Government agencies, foreign companies who collect or hold personal information in Australia and other businesses that operate in Australia with an annual turnover of more than $3,000,000 - must comply with the Notification Scheme.
Not all data breaches suffered by an entity need to be reported under the Notification Scheme. Only a data breach that satisfies the criteria set out in the Bill will be considered an ‘eligible’ data breach and notifiable.
An ‘eligible’ data breach occurs when there is unauthorised access to, or disclosure of, information (being personal information, tax file information or credit eligibility information) that is likely to result in serious harm to any individuals to whom the information relates.
The concept of ‘serious harm’ is not defined in the legislation. However, the Explanatory Memorandum provides some guidance, indicating that serious harm could include serious physical, psychological, emotional, financial or reputational harm. Whether or not a reasonable person would conclude that a data breach is likely to result in serious harm requires consideration of a number of relevant matters, including:
If an entity is able to undertake sufficient remedial action in response to a data breach such that no serious harm results from the data breach, that unauthorised access or disclosure is not considered to be an eligible data breach and the Notification Scheme does not apply.
Importantly, the Bill imposes obligations on entities in relation to suspected, and actual, eligible data breaches such that:
The Notification Scheme provides a number of exceptions to the notification obligation, including for enforcement-related activities and Commonwealth secrecy provisions. In particular, where an eligible data breach of one entity is also an eligible data breach of another one or more other entities, provided that one entity discharges its notification obligations, the Notification Scheme does not apply to those other affected entities. It is therefore important that an entity ensures that compliance with the Notification Scheme is sufficiently addressed in any contractual relationship.
A failure to comply with the Notification Scheme will be considered an interference with the privacy of an individual under the Privacy Act. This means that an entity may be liable for civil penalties for each data breach (as a result of breaching its obligation under APP 11 to protect information from misuse, interference and loss, as well as unauthorised access, modification or disclosure) and a failure to notify under the Notification Scheme. Civil penalties for serious or repeated interferences currently attract a maximum penalty of $1.8 million for companies and $360,000 for individuals.
Be the first to receive the latest articles, news and publications.