This week the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016/17 into law. As a result Australia will have a mandatory data breach notification scheme.
The new scheme creates an obligation to report eligible data breaches relating to personal information held by businesses which may result in "serious harm" to any individual whose data has been disclosed. The notification obligation will apply to government agencies, businesses and not for profit organisations governed by the Privacy Act.
A data breach consists of the unauthorised access to, disclosure of or loss of personal information (information identifying a specific person). A data breach can occur online (cyber security incident) or in a physical sense (documents accessed by a third party without permission).
Where a business subject to the law suspects that there may have been a data breach, it is required to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach which triggers the new notification requirment.
In the new legislation a data breach triggering the notification requirement is when there is unauthorised access to, disclosure or loss of personal information, and which the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Serious harm is not precisely defined in the legislation. Serious harm will also depend on a number of factors. Guidance in the Explanatory Memoradum which accompanies the legislation sets out that serious harm could include physical, psychological, emotional, economic or financial harm, as well as harm to reputation.
The new law will require organisations that determine they have had an eligible data breach to report the incident to the Privacy Commissioner and notify affected persons as soon as practicable after they become aware of a breach.
The notification obligation will require businesses to issue a notice that the breach occurred, and must include a description of the data breach, the kind of information involved, and how individuals should respond to the data breach.
The legislation does not contain an exact definition of what actions businesses should recommend for individuals to take to respond to a data breach. Guidance in the Explanatory Memoradum which accompanies the legislation gives the examples of changing passwords or cancelling credit cards. We expect further guidance on these issues over time.
Those that fail to provide the required notifications may be subject to face penalties including fines.
The law will come into effect later in 2017.
This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2019.