Preparing for mandatory data breach notification under the Privacy Act

From 22 February 2018 or earlier if by proclamation, organisations covered by the Privacy Act 1988 (Cth) (Privacy Act) may be required to provide notification to affected individuals and the Office of the Australian Information Commissioner (OAIC) if they suffer a data breach, because of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Amendment).

The Amendment was a long time coming having been first introduced in 2008 by the Australian Law Reform Commission following a review of Australia’s privacy laws.

It is important for organisations to understand their obligations to ensure compliance.

Summary of the Substantive Provisions

Eligible Data Breach – Only data breaches which can be categorised as an ‘eligible data breach’ require notification.  An eligible data breach arises when either:

  • there is unauthorised access or disclosure of personal information and a reasonable person would conclude that the disclosure or access is likely to result in serious harm to those individuals affected; or
  • information is lost in circumstances where unauthorised access or disclosure is likely to occur and assuming that unauthorised access or disclosure were to occur, a reasonable person would conclude that the disclosure or access is likely to result in serious harm to the affected individuals.

What is Serious Harm? – There is no set definition of what may cause “serious harm”, however the amendment outlines several considerations which must be considered in making this assessment, including the information’s sensitivity, the types of people who have obtained the information, if the information is protected by security and whether these measures can be circumvented.

Suspected Breaches – If a business becomes aware that there are reasonable grounds to suspect that there may have been an eligible data breach, then the business must carry out an investigation to determine whether the breach is an eligible data breach. This must generally be completed within 30 days of the business becoming aware of the potential breach.

Notification – If a business becomes aware that there are reasonable grounds to suspect that there has been an eligible data breach (whether following an investigation or without an investigation), then it must prepare a statement including:

  • its identity and contact details;
  • a description of the eligible data breach;
  • the types of information concerned; and
  • recommendations about the steps that individuals should take to protect themselves or mitigate harm.

This statement must not only be given to the Privacy Commissioner but steps must also be taken to notify affected individuals directly, for example, by calling them on the phone. If direct notification is unreasonably difficult or may cause further harm, then indirect notification, such as a notice on a website, may be used.

Notification Exemptions – The Amendment contains several exceptions, including in relation to remedial action following an eligible data breach, or potential breach. This is significant, because if an entity can quickly react and take steps sufficient to result in a reasonable person concluding that the unauthorised access, disclosure or loss is not likely to result in serious harm, then the eligible data breach is taken never to have been an eligible data breach.

Consequences of a failure to comply?

Failure to comply with the mandatory notification scheme will be deemed to be an interference with the privacy of an individual and a breach of the Privacy Act. Serious or repeated failure to comply with the privacy of an individual attracts a maximum penalty of $360,000 for individuals and $1,800,000 for corporations.

How can your business prepare?

As many organisations would be aware, before the Amendment the Privacy Commissioner received voluntary reports.  The Privacy Commissioner also issued the guidelines titled ‘Data beach notification guide: A guide to handling personal information breaches’.  It is likely this guide will still provide useful methodologies to addressing data breaches.

That said, organisations covered by the Privacy Act should review their privacy management policies and procedures including the following:

Internal Processes – Organisations should develop or review their internal processes to ensure suspected or actual breaches can be identified and reported and have a predetermined strategy to deal with breaches.

Staff Training – Staff must be educated around the policies and procedures for identifying and reporting a data breach given the more robust compliance obligations.  Often it is important to ensure staff are aware of circumstances that might give rise to a data breach, such as:

  • lost or stolen employee equipment;
  • employees accessing information where they were unauthorised to do so, whether intentionally or by accident;
  • records being stolen from storage or disposal units; or
  • employees mistakenly granting access to information to unauthorised third parties.

Breach Management Teams – In the event of a breach, it is important to react quickly. Aside from the legislative compliance, this will maximise the opportunity to minimise the damage to affected individuals and to the reputation of the organisation. To this end, an organisation should identify a breach management team which may include the following functions:

  • Legal;
  • the Chief Information Officer;
  • the Managing Director;
  • impacted business managers;
  • the Privacy Officer; and
  • a public relations expert.

Third Parties – Organisations should also consider its contractual arrangements with third party service providers, particularly cloud service providers who are overseas.  Does the organisation have appropriate contractual mechanisms requiring the third-party service provider to notify them of a breach?  Significantly, who pays the costs and potential penalties associated with the data breach if the breach is the service provider’s fault.  The notification process will potentially be costly and disruptive.

Conclusion

With the introduction of the Amendment organisations should take the opportunity to revisit their privacy policies and procedures, not only to ensure they minimise the likelihood of a breach but also to establish a process should a breach occur.  Being unprepared for a breach is a recipe for an organisation to incur significant cost and significant reputational damage.

If you have any queries or would like further information regarding this article, please contact:

Simon McDonald
Partner
M: 0402 843 198
E: smcdonald@pageseager.com.au

Rhiannon Fletcher
Lawyer
M: 0418 966 390
E: rfletcher@pageseager.com.au

Published: 11 April 2017

Copyright © 2016 Page Seager. Privacy Statement Privacy Policy