Privacy Amendment: Mandatory Data Breach Notification in Australia

As we move further and further into a more technically-driven world, an ever-increasing danger arises for businesses. Gone are the days when every detail of every client was held within a sturdy metal filing cabinet where only a select few people held the key. In this advanced technological era, huge amounts of client and customer information are at risk of unlawfully (and unintentionally) being disclosed by companies everywhere. An unexpected cyberattack, or perhaps something as simple as accidentally sending an email containing sensitive information to an unintended recipient. Information can be unlawfully disclosed in an instant, therefore breaching the Privacy Act. However, it has never been a requirement for Australian organisations to disclose such a breach to the Privacy Commissioner or their clients. Instead, it was simply encouraged to undertake voluntary notification of data breaches.

Privacy Amendment (Notifiable Data Breaches) Bill

In February 2017, the Australian Senate voted to pass the mandatory data breach notification regime introduced in 2016. As of 22 February 2018, organisations will need to provide notification to the Privacy Commissioner and affected individuals about ‘eligible data breaches’. The notification regime will apply to any organisation subject to the Privacy Act (which will include many private sector entities, government agencies, credit reporting bodies, credit providers and tax file number recipients).

What Constitutes an Eligible Data Breach?

A data breach occurs when:

• There has been unauthorised access to, or disclosure of, personal information where it can be concluded that there is a likely risk of serious harm to any of the affected individuals as a result of the disclosure; or

• Personal information is lost and is likely to give unauthorised access to, or disclosure of, the information and there is a likely risk of serious harm to any of the affected individuals to which the information relates.

When a breach of data has occurred and an entity has become aware of it, they have 30 days to decide whether it is necessary to notify. The phrase “likely risk of serious harm” is not defined within the Bill and becomes slightly open to interpretation – good news for lawyers as it can be assessed on a case-by-case basis. The Explanatory Memorandum of the Bill suggests that serious harm could be interpreted as physical, psychological, emotional, economic and financial harm, and will depend upon both the circumstances of the individual and the circumstances of the relevant data breach.

Take Precautionary Measures

Prevention has always been better than cure, so these are steps that are worth taking to ensure that you are covered if the unthinkable should happen:

1. Have in place a formal data breach plan to manage compliance within the data breach regime. The plan should outline what steps should be taken to minimise the risk of serious harm. It is crucial that there is a complete and total understanding of how to respond to a breach depending on the type of incident. The being to increase the possibility of a better outcome for all affected parties.

2. Have a well-trained team. Ensure that all personnel with privacy and compliance obligations understand the operations and the implications of the regime.

3. Adequate contractual provisions need to be in place to manage compliance with third parties or outsourced arrangements that hold personal information for the organisation. Contracts need to stipulate that you must be notified of a breach immediately so that action can be taken. Third parties also need to agree to comply with any investigation that needs to take place.

A privacy breach of client information has the potential to be very damaging to an organisation. A few precautionary measures can prevent a disaster and also help in the aftermath of such an event. Get organised now while time is on your side.

WHAT DO I DO NOW?

Contact us if you would like to have more information on managing the legal risks involved with your company's data. Our lawyers at You Legal will be happy to assist you in whatever way we can. Or you can read more from the Office of the Australian Information Commissioner here.

* This blog is for general guidance only. Legal advice should be sought before taking action in relation to any specific issues.