From 22 February 2018, the Privacy Act 1988 (Cth) will include a mandatory data breach notification scheme. Under the scheme, entities governed by the Privacy Act, often referred to as APP entities will be required to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals of ‘eligible data beaches’.
One only has to look to Uber’s recent admission of a worldwide data breach, exposing 57 million of its users, to understand why the introduction of mandatory data breach notifications in Australia is welcomed. Whilst providing comfort to many Australians, the scheme’s introduction will place the onus on Australian businesses to adequately prepare for these changes.
If you’re an APP entity, which includes businesses with an annual turnover of over $3 million, Government agencies and a number of small business operators, this is what you need to know about the new scheme.
Under the scheme, should an APP entity have reasonable grounds to suspect an ‘eligible data breach’ has occurred, the entity will be required to notify the affected individual/s and OAIC. An ‘eligible data breach’ occurs where there has been ‘unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity’ and ‘the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates’.
The notification requirements of the regime will include APP entities:
1. Conducting expeditious assessment of the suspected breach within 30 days of it becoming aware of such breach. An assessment involves:
a. Determing if an assessment is required, and identifying who will be responsible for conducting the assessment;
b. Gathering information in relation to the suspected breach – who had access to the information, what information is affected;
c. Evaluating the information, and identifying the breach as an ‘eligible data breach’.
2. Notify the OAIC and affected individual/s by:
a. Preparing a statement setting out the entity’s details, description of the breach, the kind of information concerned, and recommendations about what individuals should do in response to the breach;
b. Provide a copy of this statement to the OAIC and, if practicable, the affected individual/s.
There are some exceptions to the above notification requirements.
1. Third parties – if another entity has already provided notifications in relation to the same data breach, as a result of share services arrangements; and
2. Remedial action – if an organisation takes remedial action whereby the breach does not result in serious harm, the breach is unlikely to be deemed an ‘eligible data breach’.
Should an APP entity breach their obligations under the Act, civil penalties may apply. At present, the maximum civil penalty administrable is 2000 penalty units, or $1.8 million.
Prior to 22 February 2018, businesses should review the adequacy of their practices and procedures to ensure that their obligations under the amended legislation can be met in the event of a data breach. Further, businesses should prepare a response plan, or amend their current plan, to allow for quick, efficient and lawful response to any suspected or actual data breaches.
In addition to the above considerations, a review of your business’ contracts with service providers and third parties should be conducted. This will ensure that each party is aware of its responsibilities in respect of the notification scheme is understood.
If you’d like to discuss the mandatory data breach notification laws, call Rouse Lawyers’ technology team on 07 3648 9900.