The full force of the new notifiable data breaches regime is on its way with the Privacy Amendment (Notifiable Data Breaches) Bill 2016 having received Royal Assent on 22 February 2017.
Entities which will be affected by the changes have until February 2018 to prepare for the commencement of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Act). Leading up to this time it will be important to review existing cybersecurity arrangements and, if not already in place, implement a cybersecurity policy which deals with the obligations arising under the new law. This should include a method to clearly identify what personal or other information is held and address implementation of risk management policies and procedures in the event of an eligible data breach (as defined in the Act).
The mandatory data breach notification scheme will apply to all entities which currently have obligations under the Privacy Act 1988 (Cth). This includes Commonwealth Government Agencies, private sector businesses and not-for-profit organisations with an annual turnover of more than $3 million, entities which are holders of tax file information (known as file number recipients under the Privacy Act), certain credit providers and credit reporting bodies and other specified entities.
The new laws will apply in the event of an “eligible data breach”. An eligible data breach will have occurred where the information is personal information or other regulated information under the Privacy Act and:
“1. Both of the following conditions are satisfied:
2. the information is lost in circumstances where:
The intent of the Act is to assist people whose personal information may have been compromised by keeping them informed and thereby enabling them to protect themselves and their personal information, for example by changing passwords. Although broadly capturing any unauthorised access, disclosure or loss, one limitation with the Act in achieving this goal might be the requirement that there be potential for “serious harm” to occur. The Explanatory Memorandum for the Act notes that this is intended to include serious harm to a person’s reputation, so it need not be merely monetary harm. However, the Explanatory Memorandum goes on to envisage that the term refers to more than just distress. It will be interesting to see how this is interpreted in practice.
If an eligible data breach occurs then the entity must prepare a Statement for the Privacy Commissioner containing relevant information and in the form prescribed under the Act.
Additionally, the entity will be required not only to notify the individuals in relation to whom the eligible data breach is likely to result in serious harm but, if practicable, all individuals to whom the information relates. It is only where it is impracticable that the notification obligation is reduced to only notifying the individual (or individuals) at risk.
Where affected individuals cannot be contacted or located, the entity must publish the contents of the Statement on the entity’s website and take reasonable steps to publicise the contents of the Statement provided to the Commissioner.
The new regime does contain some exceptions. Particularly notable is the case of an entity which is able to remedy a data breach before it results in loss or harm. In such circumstances, if the entity takes action before an individual suffers loss or serious harm then they will not have to comply with the requirements of notification.
The new laws also put a positive obligation on entities to investigate data breaches if there are reasonable grounds to suspect that there may have been an eligible data breach. If the Commissioner becomes aware of reasonable grounds to believe there has been an eligible data breach, he has power to direct an entity to comply with its notification obligations.
Non-compliance by an entity will amount to interference with the privacy of an individual which carries serious civil penalties under the Privacy Act.
Therefore it is important for organisations to recognise irregular or unusual activities and ensure that proper investigations of possible data breaches are undertaken and completed within 30 days. As entities will now have to fulfil their positive duty to investigate such occurrences, it is critical for entities to put proper procedures in place and ensure adequate staff training prior to the new regime coming into force.
This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this article, or what it means for you, your business or your clients' businesses, please feel free to contact us.