– what this means for companies
Organisations covered by the Australian Privacy Act 1988 (Cth) will soon need to notify eligible data breaches to the Office of the Australian Information Commissioner (OAIC) as well as to affected individuals as soon as practicable after the organisation becomes aware.
On 22 February 2017, the Privacy Amendment (Notifiable Data Breaches) Act 2017 made its way through both houses of Parliament with bipartisan support and received Royal Asset. The implications of this is that, from 23 February 2018, the Privacy Act 1988 (Cth) will include a mandatory data breach notification scheme.
Who must comply with this new law
The new law will apply to organisations (with an annual turnover of more than $3 million), Australian Government Agencies, and other organisation that are already required by the Privacy Act to keep information secure (APP entities)
When does an ‘eligible data breach’ occur
An ‘eligible data breach’ occurs where there has been:
- Unauthorised access or disclosure, or loss of information where unauthorised access or disclosure is likely; and
- A reasonable person would conclude that the access or disclosure would likely result in serious harm to the individuals to whom the financial information relates.
The requirement to notify
The requirement to notify triggers when an entity is aware that “there are reasonable grounds to believe that, there has been an eligible data breach of the entity”.
If an eligible data breach has occurred, an entity must notify affected individuals and the OAIC as soon as practical, with a notification containing certain prescribed information, including:
- The identity of the organisation;
- The description of the breach;
- The kind of information concerned; and
- Recommendations as to the individuals as to the steps to take in response to the breach
If it is impractical to notify all affected individuals, the entity must publish a statement on its website.
Exceptions to Notification
There are a range of exceptions, most notably where the affected entity takes appropriate remedial action in response to the eligible data breach before the breach causes serious harm.
Sanctions for failing to comply
The standard penalty regime under the Privacy Act allows for monetary penalties of up to $1.8 million for companies and $360,000 for individuals for serious or repeated breaches.
The takeaways
To ensure compliance with the new law:
- Update and certify that you have a complete data breach response plan and a well-trained team.
- start to implement to meet the various assessment and notification requirements.
- review how your company manages its information to take stock of its information assets, its data protection measures including response activities, and to ensure it reduces its risk of data breach in the first place.
- Focus on your organisation’s ability to remediate a breach; and
- Analyse contracts with service providers to ensure they contain privacy and data breach notification obligations.