On 22 February 2017 the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (“the Act”) received Royal Assent, and will come into effect on 23 February 2018 (unless another earlier date is chosen).
The Act amends the Privacy Act to establish a mandatory, nationwide data breach notification scheme (“the Scheme”).
Who do the Changes Apply to?
The Scheme will affect all entities currently subject to the Privacy Act, including Government agencies, private organisations with an annual turnover of more than $3 million, and some private sector corporations such as health care providers and credit reporting agencies.
All affected entities need to take action now to ensure that their practices and procedures will enable them to meet their new obligations under the legislation.
What are the Changes?
The Scheme will require companies and Government agencies to notify the Office of the Australian Information Officer (“OAIC”) and any potentially affected parties of what is referred to as an ‘eligible data breach’.
The Act defines an ‘eligible data breach’ as unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity, and a reasonable person would conclude that the access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom the information relates.
An entity that becomes aware that a breach may have occurred is required to carry out an assessment of whether it amounts to an ‘eligible data breach’ within 30 days of becoming so aware.
Exceptions to the Rule
Various exceptions to the need to report an eligible data breach are contained in the legislation, including:
- If the entity takes remedial action before any serious harm is caused by the breach; and
- If notifying individuals will prejudice law enforcement activities, police and intelligence agencies are not required to comply.
Failure to undertake the required assessment and subsequent notification, if required, will be deemed to be an interference with an individual’s privacy under the Privacy Act. The Commissioner may instigate an investigation, make a determination, and pursue civil penalties.
Civil penalties only apply to serious and repeated breaches of the Privacy Act, with a maximum penalty for individuals of $360,000 and $1,800,000 for companies.
What you need to do to Prepare
The Scheme’s notification requirements could prove quite costly, and result in adverse publicity for the subject entity, so it is important that companies and agencies do all they can now to ensure their privacy practices are stringent, to avoid the need to make a notification.
It is prudent for all entities to review their internal protocols for the protection of their clients’ personal information and processes for timely detection and response to data breaches. Further, entities should ensure that they have protocols in place to carry out the required assessment of any breach within the 30 day timeframe provided by the legislation.