Mandatory data breach notification regime to commence in 2018
The Federal Parliament recently passed the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), which makes amendments to the Privacy Act 1988 (Cth) (Privacy Act), and makes it mandatory to report privacy breaches.
The amendments will replace the voluntary data breach reporting system currently in place.
The mandatory data breach reporting laws will come into force in February 2018. Under the new regime, entities covered by the Privacy Act will be required to take certain steps following any ‘eligible data breach’.
What is an ‘eligible data breach’?
An ‘eligible data breach’ will occur if:
- there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals)
- a reasonable person would conclude there is a risk of serious harm to any affected individuals as a result
- the information is lost in circumstances where:
- unauthorised access to, or unauthorised disclosure of, the information is likely to occur
- assuming unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that it would likely result in serious harm to the affected individuals.
‘Serious harm’ may include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation. The Privacy Act will be changed to contain a list of factors to be considered when determining whether access of, or disclosure to, personal information will result in serious harm, including the kind and sensitivity of the relevant information.
What must APP entities do in the event of an ‘eligible data breach’?
After commencement of the new laws, if an APP entity suspects it may have committed an eligible data breach, it will need to carry out an assessment/investigation within 30 days.
If such an assessment/investigation indicates there are reasonable grounds to believe an eligible data breach has occurred, then the APP entity will be required to lodge a statement to the Privacy Commissioner (Commissioner). Where practical to do so, the APP entity will also need to notify the affected individuals. If it is not practicable to notify the affected individuals, the APP entity will need to publish a copy of the statement on its website, or publicise it in another manner.
If the Commissioner becomes aware there are reasonable grounds to believe there has been an eligible data breach, then it may direct the APP entity to take the steps mentioned above.
Exception to notification obligation
An exception to the requirement to notify will exist if there is a data breach but the APP entity takes remedial action, and as a result of that action:
- there is no authorised access to, or unauthorised disclosure of, the information
- there is no serious harm to affected individuals, and as a result of the remedial action, a reasonable person would conclude the breach is not likely to result in serious harm.
Consequences for failure to comply with the mandatory data breach obligations
Failure to comply with the mandatory data breach reporting obligations will be deemed an interference with the privacy of the affected individuals and will invoke the Commissioner’s powers under the Privacy Act. These include the power to conduct investigations, make determinations, seek enforceable undertakings and pursue civil penalties for serious or repeated interferences with privacy, including fines of up to $1.7 million for organisations.
How to prepare for the mandatory data breach notification regime
In order to prepare for the incoming mandatory data breach notification obligations, all APP entities should:
- review and update their current privacy practices and internal policies to reflect the new regime
- review and update their data breach response plans to address the incoming provisions
- review and update contracts with any third party service providers to ensure they are required to assist the APP entities to promptly address any data breaches.
Macpherson Kelly has assisted many organisations with their compliance with the Australian privacy regime. If you would like further information, please contact Kelly Dickson on (03) 9794 2541.