After years of deliberation, a mandatory data breach notification scheme in the form of the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Bill) will come into effect in Australia within the next 12 months, after obtaining royal assent.
Designed to target organisations and government agencies already captured under the Privacy Act 1988 (Cth) (Privacy Act), the provisions of the Bill do not apply to state government organisations, local councils or (generally speaking) businesses with less than a $3 million annual turnover.
We outline the key obligations introduced by the Bill below:
- Organisations currently subject to the Privacy Act are required to notify the Privacy Commissioner and affected individuals as soon as they become aware of an “eligible data breach”, being:
- the unauthorised access to, or unauthorised disclosure of, personal information (including identifying information, credit details and tax file number information) that would be likely to result in “serious harm” [1] to the individuals about whom the personal information relates; and
- a loss of data containing personal information (for example, misplacing an external hard drive containing a list of customer contact details) where unauthorised access to, or disclosure of, the personal information would likely to result in “serious harm” to the relevant individuals.
- The notification statement to the Privacy Commissioner must set out the identity and contact details of the breached organisation, a description of the eligible data breach, the kind of information concerned, and recommended steps for the affected individuals to take in response to the breach.
- Depending on the practicability of contacting those affected by the breach, the statement prepared for the Privacy Commissioner must also be:
- sent to each of the individuals to whom the information subject of the breach relates; or
- sent to each of the individuals who are at risk from the eligible data breach; or
- published on the organisation’s website and elsewhere under a general obligation to make reasonable efforts to publicise the statement.
- Organisations that become aware of a suspected eligible data breach must carry out and complete an assessment to ascertain whether an eligible data breach has in fact occurred, within 30 days of becoming aware of the circumstances that led to that suspicion.
The obligations above also apply to overseas breaches where organisations subject to the Privacy Act have disclosed personal information to foreign recipients. Organisations that fail to comply with the data breach notification provisions could face a fine of $1.8 million. Arguably the biggest risk with these laws, however, is the consequence that notification of a breach can be an admission of liability, giving rise to risks of negligence claims and class actions.
It is important to note that organisations that have been breached can apply on a case by case basis to the Privacy Commissioner for a declaration that effectively exempts the organisation from the requirement to prepare a data breach notification statement. Organisations can also apply for extra time to send out the statement to affected individuals.
Organisations currently governed by the Privacy Act (and those likely to meet the $3 million turnover threshold in the near future) should review their data security practices as soon as possible and ensure that effective systems are in place to notify affected individuals should an eligible data breach occur. If you would like advice as to whether the new data breach notification scheme applies to your organisation and how to best prepare for it, please contact our Privacy and Data Protection team.
[1] There is no specified definition of “serious harm” under the Privacy Act; however we understand it to capture a broad range of physical, psychological and economic harm, as well as serious harm to a person’s reputation. The new provisions list a number of considerations in determining whether access to, or disclosure of, personal information would be likely to result in “serious harm”. These considerations include:
- the kinds of information involved in the breach and whether that information is particularly sensitive;
- the nature of the harm that could be inflicted on the individual to which the information relates;
- the kinds of people who would (or could) have access to the information as a result of the breach;
- whether those people would harbour an intention to use the information to harm the affected individual; and
- whether those people would be able to decrypt or overcome any security measures taken to protect the information.