From 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 amends the Privacy Act 1988 (Privacy Act) to introduce mandatory data breach notification provisions.
Under the Australian Privacy Principles (APPs) contained in the Privacy Act, organisations that have been captured by the Privacy Act are required to take reasonable steps to protect personal information from misuse, interference and loss as well as unauthorised access, modification or disclosure. If a data breach had occurred in contravention of these requirements, currently there is no compulsion to notify individuals who may be affected by such data breach. However, from 22 February 2018, organisations will be required to report certain data breaches to the Office of the Australian Information Commissioner (OAIC) as well as to the individuals that are affected by the data breach.
When does the notification obligation arise?
Under the legislative changes, organisations must provide notice, as soon as practicable, to the OAIC and affected individuals where there are reasonable grounds to believe that an “eligible data breach” has occurred (unless an exception applies).
An eligible data breach will generally arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure of personal information or, in certain circumstances, if this information is lost.
Serious harm, while undefined under the amended Privacy Act, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation.
How must notification occur?
Firstly, organisations must prepare a statement containing certain prescribed information about the data breach and provide it to the OAIC. Then organisations must take steps to notify the affected individuals. The actual steps required will depend on the circumstances, but will usually include sending the statement to the individual via the usual means of communication between the organisation and the individual. The notification to affected individuals and the OAIC must include the following information:
- the identity and contact details of the organisation;
- a description of the data breach;
- the kinds of information concerned; and
- recommendations about the steps individuals should take in response to the data breach
Exceptions to the data breach notification requirement
The amended Privacy Act includes various exemptions to the notification requirement. For example, if an organisation takes remedial action before any serious harm is caused by the breach, the organisation is not required to notify the individual affected.
What you should do now…
You should ensure that you regularly monitor and audit the security of your data retention system and have policies in place that will deal with sharing of data and data breaches in compliance with the Privacy Act and the legislative amendments. If your policies and procedures have not been reviewed since the Privacy Act overhaul in 2012, we highly recommend a legal audit of your policies and procedures to ensure you still comply with your obligations of the Privacy Act.
In addition to the foregoing, it may be wise to consider cyber insurance to protect your business against the costs of dealing with an IT system breach, third party claims arising therefrom or interruptions to your business caused by a cyberattack on a key supplier.