From 22 February 2018, the Privacy Act 1988 (Cth) will include a mandatory data breach notification scheme. Under the scheme, entities governed by the Privacy Act, often referred to as APP entities will be required to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals of ‘eligible data beaches’.
One only has to look to Uber’s recent admission of a worldwide data breach, exposing 57 million of its users, to understand why the introduction of mandatory data breach notifications in Australia is welcomed. Whilst providing comfort to many Australians, the scheme’s introduction will place the onus on Australian businesses to adequately prepare for these changes.
If you’re an APP entity, which includes businesses with an annual turnover of over $3 million, Government agencies and a number of small business operators, this is what you need to know about the new scheme.
Under the scheme, should an APP entity have reasonable grounds to suspect an ‘eligible data breach’ has occurred, the entity will be required to notify the affected individual/s and OAIC. An ‘eligible data breach’ occurs where there has been ‘unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity’ and ‘the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates’.
The notification requirements of the regime will include APP entities:
1. Conducting expeditious assessment of the suspected breach within 30 days of it becoming aware of such breach. An assessment involves:
a. Determing if an assessment is required, and identifying who will be responsible for conducting the assessment;
b. Gathering information in relation to the suspected breach – who had access to the information, what information is affected;
c. Evaluating the information, and identifying the breach as an ‘eligible data breach’.