Rouse Lawyers

- The Law Firm For Business Owners and Entrepreneurs -

Call us: (07) 3648 9900

  • Home
  • Expertise
    • Corporate & Commercial
    • Private Wealth & Tax
    • Franchising
    • Technology
    • Intellectual Property
    • Commercial Litigation
    • Employment Law
    • Estate Planning
    • Property Law
  • About
    • Our Team
  • Reviews
  • Articles
  • Careers
  • Legal Guide
  • Contact

Are You Prepared For Mandatory Data Breach Notification Laws?

Data Breach

From 22 February 2018, the Privacy Act 1988 (Cth) will include a mandatory data breach notification scheme. Under the scheme, entities governed by the Privacy Act, often referred to as APP entities will be required to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals of ‘eligible data beaches’.

One only has to look to Uber’s recent admission of a worldwide data breach, exposing 57 million of its users, to understand why the introduction of mandatory data breach notifications in Australia is welcomed. Whilst providing comfort to many Australians, the scheme’s introduction will place the onus on Australian businesses to adequately prepare for these changes.

If you’re an APP entity, which includes businesses with an annual turnover of over $3 million, Government agencies and a number of small business operators, this is what you need to know about the new scheme.


The scheme

Under the scheme, should an APP entity have reasonable grounds to suspect an ‘eligible data breach’ has occurred, the entity will be required to notify the affected individual/s and OAIC. An ‘eligible data breach’ occurs where there has been ‘unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity’ and ‘the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates’.

The notification requirements of the regime will include APP entities:

1. Conducting expeditious assessment of the suspected breach within 30 days of it becoming aware of such breach. An assessment involves:

a. Determing if an assessment is required, and identifying who will be responsible for conducting the assessment;

b. Gathering information in relation to the suspected breach – who had access to the information, what information is affected;

c. Evaluating the information, and identifying the breach as an ‘eligible data breach’.

2. Notify the OAIC and affected individual/s by:

a. Preparing a statement setting out the entity’s details, description of the breach, the kind of information concerned, and recommendations about what individuals should do in response to the breach;

b. Provide a copy of this statement to the OAIC and, if practicable, the affected individual/s.


Exceptions

There are some exceptions to the above notification requirements.

These include:

1.  Third parties – if another entity has already provided notifications in relation to the same data breach, as a result of share services arrangements; and

2. Remedial action – if an organisation takes remedial action whereby the breach does not result in serious harm, the breach is unlikely to be deemed an ‘eligible data breach’.


Penalties

Should an APP entity breach their obligations under the Act, civil penalties may apply. At present, the maximum civil penalty administrable is 2000 penalty units, or $1.8 million.


Preparation

Prior to 22 February 2018, businesses should review the adequacy of their practices and procedures to ensure that their obligations under the amended legislation can be met in the event of a data breach. Further, businesses should prepare a response plan, or amend their current plan, to allow for quick, efficient and lawful response to any suspected or actual data breaches.
In addition to the above considerations, a review of your business’ contracts with service providers and third parties should be conducted. This will ensure that each party is aware of its responsibilities in respect of the notification scheme is understood.


If you’d like to discuss the mandatory data breach notification laws, call Rouse Lawyers’ technology team on 07 3648 9900.

December 19, 2017 Filed Under: Technology

Enter your details below to contact a professional Technology lawyer.

↓

We add new contacts to Rouse Lawyers database. We may send you information or service offerings we believe may be relevant to you. If you agree to being contacted by us in the future, send your enquiry. Naturally, you can unsubscribe any time.

Client Reviews

"We have no hesitation in recommending the firm"

“At Smarterapps, we deal with a lot of new and exciting concepts – legal advice is very important. Having worked with Rouse Lawyers, we have no hesitation in recommending the firm to our own valued clients for the best legal advice and representation possible.”

Craig AitkenSmarterapps

"The team at Rouse Lawyers has been fantastic."

The team at Rouse Lawyers has been fantastic. As a new technology startup, we had some unique requirements around licensing and partner agreements, trademarking as well as off-shore contractor agreements. Matthew and Patrick have been great to deal with – not only from an advice perspective but also delivering these agreements in a timely manner. Dealing with Rouse Lawyers has allowed us to concentrate on our business knowing the legal side is in good hands.

Gareth Beachy-HeadHub3c

“Rouse Lawyers assisted our fast-growing commercial fit-out and building business for around 4 years. We have called upon the firm’s expertise in intellectual property, software development and contract negotiation matters.”

Jim HardyUrban Office

PRIVACY POLICY DISCLAIMER TERMS

BRISBANE OFFICE

Ph: +61 7 3648 9900

Fx: +61 7 3648 9911

Level 2, 22 Wandoo St, Fortitude Valley, QLD 4006

17-Page Guide Reveals:

How To Protect Your Business and Your Assets While Allowing Your Business To Thrive

Written by Matthew Rouse, commercial lawyer and founder of Rouse Lawyers.

17-Page Guide Reveals:

How To Protect Your Business and Your Assets While Allowing Your Business To Thrive

Written by Matthew Rouse, commercial lawyer and founder of Rouse Lawyers.

Sign Up To Our Newsletter