Mandatory data breach notification scheme now in effect – what you need to know
26 February 2018
Amendments to the Privacy Act 1988 (Cth) (Privacy Act) came into effect on Thursday 22 February 2018.
Under the Privacy Act, regulated entities are obliged to take reasonable steps to protect personal information from misuse, interference and loss, unauthorised access, modification or disclosure.
The amended Privacy Act now includes a scheme under which certain organisations and federal agencies are required to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals if there has been an ‘eligible data breach’.
The new scheme is intended to ensure that individuals are notified if their personal information is compromised so they may have an opportunity to take remedial steps.
Which entities are required to report data breaches?
‘APP entities’ are subject to the new scheme.
APP entities are organisations and agencies regulated by the Privacy Act and include:
- individuals (including sole traders);
- bodies corporate (e.g. corporations);
- other unincorporated associations;
- trusts; and
- federal government ministers, departments, bodies and agencies.
Certain small business operators with annual turnover less than AU$3 million, registered political parties and State or Territory authorities and instrumentalities are excluded.
What are the new mandatory data breach notification requirements?
An APP entity must notify OAIC and affected individuals as soon as practicable if:
- it has reasonable grounds to believe that an ‘eligible data breach’ has happened; or
- it is directed to do so by the Commissioner.
The notice should include the following details:
- the identity and contact details of the APP entity;
- description of the data breach and the type of information involved; and
- steps that affected individuals should take in response to the breach.
What is an ‘eligible data breach’?
An eligible data breach happens if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an APP entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
The Privacy Act does not define ‘serious harm’ however we expect that it is likely to include serious physical, economic, financial and reputational harm.
As to whether ‘serious harm’ is ‘likely’, the Privacy Act sets out matters to be taken into consideration, including:
- the kind of information;
- the sensitivity of the information;
- whether the information is protected by any security measures and how easily those security measures could be circumvented.
Are there any exceptions to the obligation to report a data breach?
There are certain exceptions to the obligation to report, including:
- where the APP entity only has reasonable grounds to suspect that an eligible data breach has occurred.
In this scenario, the APP entity is required to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach. The assessment must be completed within 30 days; and
- where the APP entity takes remedial action before any serious harm is caused by the breach.
What are the consequences of failing to report a data breach?
A failure to comply with the new scheme may result in the APP entity becoming subject to the civil penalty regime under the Privacy Act with consequences including investigations into its conduct and, if the non-compliance is serious or there are multiple breaches, the imposition of substantial civil penalties (fines).
What should you be doing now?
- (Data breach response plan) If you haven’t already, prepare a data breach response plan. This is a policy prepared by an APP entity which sets out how the entity will assess, contain and manage any breaches or suspected breaches of the entity’s privacy obligations. The OAIC has prepared the following online guide to assist APP entities prepare plans to manage data breaches quickly and appropriately: OAIC guidance
- (Training) Ensure all staff, contractors and third party service providers are aware of the new notification requirements and the entity’s privacy obligations more generally. Prepare a contact list so that staff, contractors and third parties know who to contact in the organisation and what information to provide in the event of a data breach so that the issue can be escalated and dealt with promptly.
- (Update arrangements with service providers) Update your contracts and arrangements with third party service providers who hold private information on your behalf. Ensure that your arrangements require the third party to immediately and appropriately report any data breaches, and otherwise protect your organisation’s financial and reputational interests in the event a service provider fails to report a breach.
Sonia Apikian, Partner and Clementine Woodhouse, Associate
This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.