From February 2018, businesses will have new and onerous obligations when the mandatory data breach notification regime comes into force.
What is a data breach?
The privacy legislation protects ‘personal information’, being information about an individual from which their identity can be ascertained. A data breach typically occurs when personal information about an individual held by a business is, through accident or theft, disclosed to or accessed by a third party.
The type of personal information covered includes an individual’s name, address, email, passport and / or drivers licence details, financial information such as bank account details, tax file numbers, credit eligibility information and health information.
Data breaches can occur in various unpredictable and unfortunate scenarios. They could happen when an employee’s laptop is lost or stolen and files are accessed, when a client file is left in a taxi, when a database is ‘hacked into’, when paper records are stolen from insecure bins and even when, simply through administrative error, a business accidentally gives details about an individual (such as a client or customer) to a third party without the individual’s authorisation.
Why are the new data breach notification requirements being introduced?
The new data breach notification regime bolsters the current protections given to individuals in relation to unauthorised disclosures of their personal information in such situations. Affected businesses will now be required to inform both the Office of the Australian Information Commissioner (the privacy commissioner) and any potentially affected individual of a data breach.
The purpose of the new legislation is to enable affected individuals to take remedial steps if their personal information is compromised.
Who is bound?
The new data breach notification regime will apply to those already bound by the Privacy Act, including businesses with an annual turnover of $3 million or more.
When is a data breach notification required?
Notifying the regulator and the affected individual will be mandatory whenever the business becomes aware of any unauthorised access to, or disclosure of, an individual’s personal information and as a result there is a likely risk of serious harm to the individual.
Although not defined by the legislation, serious harm will likely cover situations where the breach leads to the individual being at a probable risk of identity theft, financial loss, physical or psychological danger, or reputational damage.
One noteworthy exception will exist: where remedial action is quickly taken before serious harm is caused, the data breach will not need to be reported. This exception will provide some relief for businesses that take a proactive approach to the data breach notification regime, having familiarised themselves with the potential circumstances in which they could face liability and being prepared for the eventuality.
What are the consequences of non-compliance?
Consequences for failing to comply with the new requirements include fines of up to $1.8 million for companies and $360,000 for individuals, where serious or repeated breaches of the Act occur.
What are your new obligations?
Under the new regime, where data breaches occur businesses will be required to:
- prepare a statement setting out the details of the business, the breach and the information concerned; and
- provide a copy of this statement to the Commissioner and any individual to whom the information relates (not just those at risk of serious harm).
Businesses may also need to publish the statement on the organisation’s website.
Even where there is only a mere reason to suspect that an organisation may have committed an eligible data breach, under the new law it will be required to undertake a ‘reasonable and expeditious assessment’ of whether a breach occurred within 30 days of becoming aware of this possibility. If the suspicion proves founded, then mandatory reporting applies.
The new mandatory obligations are additional to the existing overarching obligations businesses have to protect personal information and to make sure that data breaches do not occur.
What you need to do now
You need to ensure that your organisation is ready for the commencement of the data breach notification regime. In part, this involves ensuring that your business is otherwise compliant with the Privacy Act — having a purpose-drafted and properly enforced privacy policy and security procedures.
Existing privacy procedures should also be closely reviewed and amended to include a comprehensive data breach response plan. Businesses need to know how to respond quickly, effectively and within the requirements of the law, in the event that a data breach does occur. Employees should also be made well aware of what personal information the organisation deals with and be equipped with strategies for protecting that information.
More information
If you would like to discuss the new mandatory data breach notification regime, require a privacy policy drafted or updated, or need assistance with any privacy law-related matter, please contact Daniel Kovacs, Principal Lawyer, on (03) 8600 8859 or dkovacs@kcllaw.com.au.
Note: This update is a guide only and is not intended to constitute legal advice.