The Federal Parliament has recently passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) which provides for mandatory notification of ‘serious data breaches’ to the Australian Information Commissioner and to those individuals whose data is suspected to be affected by a breach. Currently, the Privacy Act does not impose an obligation on entities to notify the Commissioner or any individuals whose personal information has been compromised.
Rather, the scheme is voluntary and entities are only encouraged to comply with the OIAC’s guide on how to handle data breaches.
The introduction of the changes has the support of major interest groups and is said to be largely beneficial for individuals, businesses and the Australian government. However, as the changes will not apply to those exempt from the Privacy Act, such as small businesses with an annual turnover of less than $3 million, few have questioned the limited application of the changes. Having said that, businesses with less than $3 million turnover must comply if they are:
- Private sector health services providers
- Child care centers, private schools and private tertiary educational institutions.
- Businesses that sell or purchase personal information along with credit reporting bodies.
What is an eligible data breach?
An eligible data breach occurs where there is unauthorised access to, or unauthorised disclosure of, personal information and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
What does ‘serious harm’ mean?
The bill sets out a number of factors the court will consider, according to a ‘reasonable person test’, including:
- The kind or kinds of information.
- The sensitivity of the information.
- Whether the information is protected by one or more security measures.
- The likelihood any such security measures would be overcome.
- The nature of the harm.
Suspected eligible data breach
In situations where an entity has reasonable grounds to suspect that there may have been an eligible data breach but is unable to confirm this at the time, the entity must carry out a reasonable and expeditious assessment within 30 days as to whether there are reasonable grounds to believe that an eligible data breach has occurred.
What are the notification obligations?
As soon as possible after an entity becomes aware that there are reasonable grounds to suspect an eligible data breach of the entity, a statement must be prepared and provided to the commissioner. The statement must include:
- The identity and contact details of the entity
- A description of the serious data breach
- The kinds of information concerned, and
- Recommendations about the steps that individuals should take in response to the serious data breach.
If practicable, the entity must also take reasonable steps to notify the contents of the statement to each of the individuals to whom the relevant information relates, which may include phone, email or post. If individual notification is not practicable, the entity must publish a copy of the statement on the entity's website.
Are there any exceptions?
Entitles will be exempt from notifying if they take sufficient remedial action before it results in serious harm, in response to:
- Unauthorised access or disclosure of personal information
- Loss of personal information
…such that a reasonable person would conclude that the loss, access or disclosure of the information is unlikely to result in serious harm.
Entities will also be exempt:
- If they are enforcement bodies and it is believed on reasonable grounds the disclosure would likely prejudice one or more "enforcement related activities”
- In situations where notification would be inconsistent with a “secrecy provision”.
- Following a declaration form the Commissioner
How will the changes affect your business & what can you do?
- It is expected the laws will come into effect 12 months after receiving royal assent.
- Relevant entities must comply with the new changes and notify the Privacy Commissioner and affected customers "as soon as practicable" after becoming aware that a data breach has occurred.
- Those that fail to notify the OIAC and affected individuals will face severe penalties of $360,000 for individuals and $1,800,000 for bodies corporate.
- It is prudent that businesses review and monitor their current information handling policies and IT security arrangements to reduce the risk of hackers getting hold of data and personal information.
- Data breaches can cause severe damage for all parties involved therefore ensuring customer and client information is secure, safe and well protected is as important as ever.