In Brief: On 22 February 2018, a notifiable data breaches scheme will be introduced in Australia
The notification obligation will apply to government agencies, businesses and not for profit organisations governed by the Privacy Act 1988 (Cth).
Under this scheme, if an organisation experiences an eligible data breach, the organisation must notify affected individuals and the Privacy Commissioner as soon as practicable.
The purpose of the scheme is to allow individuals the opportunity to take action to protect themselves against misuse of their personal information, such as changing passwords or bank account details.
Organisations holding personal information should prepare for the new scheme.
Key obligations under the Notifiable Data Breaches Scheme
The Notifiable Data Breaches Scheme requires an organisation to notify affected individuals and the Privacy Commissioner if an eligible data breach occurred or if the organisation has reasonable grounds to suspect that an eligible data breach has occurred.
An eligible data breach occurs if:
- there is unauthorised access to, disclosure of, or loss of personal information held by an organisation; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Serious harm can include physical, psychological, emotional, economic or financial harm as well as harm to reputation. The assessment of risk must be determined by having regard to factors such as the kind of information, the sensitivity of the information, the types of people who have or could obtain the personal information and the nature of the harm.
If an organisation suspects that there may have been a data breach, it is required to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach which triggers the new notification requirement.
If an organisation determines that an eligible data breach has occurred, they are required to prepare and send a statement to the individuals affected by the data breach as soon as practicable. The organisation must also send this statement to the Privacy Commissioner.
If an organisation fails to comply with the Notifiable Data Breaches Scheme, the organisation will be subject to investigations and penalties under the Privacy Act 1988 (Cth).
What can organisations do to mitigate the risk of an eligible data breach?
Organisations can mitigate the risk of an eligible data breach by doing the following:
- undertake a data audit
- review and revise agreements with third parties who collect, store, or use personal information, especially technology vendors
- update data collection notices, privacy policies and employee training manuals to include specific provisions relating to data security and data breaches
- implement a data breach response policy
- speak to the organisation's insurance broker about cyber insurance.
This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2019.