On Thursday 22 February 2018 the Notifiable Data Breaches Scheme (NDB Scheme) commenced. Businesses subject to the Privacy Act 1988 (Cth) (Privacy Act) are now obligated to report and notify the Office of the Australian Information Commissioner if a data breach occurs.
Entities which are affected by the changes should urgently be reviewing existing cybersecurity arrangements and, if not already in place, implement a cybersecurity policy which deals with the obligations arising under the new law. This should include a method to clearly identify what personal or other information is held and address implementation of risk management policies and procedures in the event of an eligible data breach (as defined in the Act).
The mandatory data breach notification scheme will apply to all entities which currently have obligations under the Privacy Act. This includes Commonwealth Government Agencies, private sector businesses and not-for-profit organisations with an annual turnover of more than $3 million, entities which are holders of tax file information (known as file number recipients under the Privacy Act), certain credit providers and credit reporting bodies and other specified entities.
The new laws apply in the event of an “eligible data breach”. An eligible data breach will have occurred where the information is personal information or other regulated information under the Privacy Act and:
“1. Both of the following conditions are satisfied:
2. the information is lost in circumstances where:
The intent of the Act is to assist people whose personal information may have been compromised by keeping them informed and enabling them to protect themselves and their personal information, for example by changing their passwords. Although broadly capturing any unauthorised access, disclosure or loss, one limitation with the Act in achieving this goal might be the requirement that there be potential for “serious harm” to occur. The Explanatory Memorandum for the Act notes that this is intended to include serious harm to a person’s reputation, so it is not restricted to monetary harm only. However, the Explanatory Memorandum goes on to envisage that the term refers to more than just distress. It will be interesting to see how this is interpreted in practice.
If an eligible data breach occurs then the entity must prepare a Statement for the Privacy Commissioner containing relevant information and in the form prescribed under the Act.
Additionally, the entity will be required not only to notify the individuals in relation to whom the eligible data breach is likely to result in serious harm but, if practicable, all individuals to whom the information relates. It is only where it is impracticable to inform all individuals to whom the information relates that the obligation is reduced to only notifying the individual (or individuals) at risk.
Where affected individuals cannot be contacted or located, the entity must publish the contents of the Statement on the entity’s website and take reasonable steps to publicise the contents of the Statement provided to the Commissioner.
The new regime does contain some exceptions. Particularly notable is the case of an entity which is able to remedy a data breach before it results in loss or harm. In such circumstances, if the entity takes action before an individual suffers loss or serious harm then they will not have to comply with the requirements of notification.
The new laws also put a positive obligation on entities to investigate data breaches if there are reasonable grounds to suspect that there may have been an eligible data breach. If the Commissioner becomes aware of reasonable grounds to believe there has been an eligible data breach, he has power to direct an entity to comply with its notification obligations.
Non-compliance by an entity will amount to interference with the privacy of an individual which carries serious civil penalties – up to $360,000 for individuals and $1.8million for organisations – under the Privacy Act.
Therefore it is important for organisations to recognise irregular or unusual activities and ensure that proper investigations of possible data breaches are undertaken and completed within 30 days. As entities will now have to fulfil their positive duty to investigate such occurrences, it is critical for entities to put proper procedures in place and ensure adequate staff training.
Call us for a free ‘no obligation’ discussion where we can talk about how this applies to your business, reporting obligations and the steps needed to prepare a Data Breach Response Plan.
This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this report, or what it means for you, your business or your clients' businesses, please feel free to contact us.