The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) introduced a Notifiable Data Breaches scheme in Australia which commenced in 2018.
The reforms aim to strengthen Australia’s privacy laws by requiring entities subject to existing obligations under the Privacy Act 1988 (Cth) (the ‘Act’), to report certain data breaches that may adversely affect an individual.
The Act applies to Australian Government agencies, businesses with an annual turnover of $3 million or greater, credit reporting bodies, and smaller entities that collect personal information such as health care providers.
The Act sets out 13 Australian Privacy Principles (APPs) which regulate how certain organisations collect, store, manage and disclose personal information. Under APP 11, entities must take reasonable steps to prevent against personal information being lost, disclosed without authority, misused or modified. The reforms build upon APP 11 by imposing mandatory notification requirements for an ‘eligible data breach’.
An eligible data breach happens if:
An entity must give notification of an eligible data breach:
and, in either case, the breach would likely result in serious harm to the individuals to whom the information relates.
In determining whether an eligible data breach has occurred, an entity must assess whether the affected individual is at risk of serious harm. An objective approach must be used from the perspective of a reasonable person who is properly informed, and the likelihood of the harm must be more probable than not.
Serious harm may include physical, psychological, emotional, financial or reputational harm, which may be determined in consideration of:
If a breach occurs, an entity must notify any affected individual and the Office of the Australian Information Commissioner (OAIC).
If an entity suspects a breach has occurred, it must investigate the circumstances of the possible breach within 30 days of becoming aware of it, to determine whether it is an eligible data breach.
Notification must include:
Notification is not required if an entity is able to quickly remedy a data breach so that it is unlikely to result in serious harm.
The form of notification will depend on the circumstances of the breach, and whether it is practicable to identify and notify each affected individual. If it is not practical to provide individual notification, alternate methods may be used such as publishing a statement on the entity’s website, advertising in newspapers, online or social media platforms.
Entities that fail to carry out the investigation and notification processes prescribed by the reforms will breach their obligations under the Act and may face civil penalties.
Advances in technology, sophisticated hacking devices, the prevalence of communicating via email, flexible work practices and poor data collection systems all have the potential to contribute to a data breach. Specific examples may include:
It is important for businesses to look at all potential risk factors within their organisation to identify strategies to minimise potential data breaches and comply with their obligations under the Act. Entities should:
As technology advances, the potential for personal information to be stolen, misused and disseminated, increases. Business owners and managers must play their part by implementing genuine measures to protect their customers’ personal information.
Breach of privacy can have significant consequences for an individual and the business entity.
Exempt businesses are also encouraged to be familiar with the obligations under the Act and the reforms, to assist in developing processes that reflect best practice for the collection and management of personal information.
If you need more information or if you need assistance or advice on how to proceed please call us on (02) 9274 8820 or email firstname.lastname@example.org.