Are you ready to report a data breach?

The effects of a privacy breach can extend beyond fines and apologies: the damage to a business’ reputation and goodwill can be costly and it may take years to rebuild.

In November 2015, the Australian Government released a draft bill to amend the Privacy Act 1988 (Cth) (Privacy Act). If passed, the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Bill) will require organisations regulated by the Privacy Act and Australian Privacy Principles (APP Entities) to give notice to both the Office of the Australian Information Commissioner (OAIC) and to affected individuals when a serious data breach occurs.

The Bill has recently been open for public consultation. There appears to be strong support for the Bill and a good prospect of it passing into law later this year.

When will notification be necessary?

If the Bill is passed in its current form, an APP Entity will need to make a notification to the OAIC and to affected individuals if it is aware, or ought to have been aware, that there are reasonable grounds to believe that a serious data breach has occurred.

The rationale behind the notification is to allow individuals whose personal information has been compromised, or maybe compromised, to take remedial steps to avoid potential adverse consequences, such as financial loss or identity theft.

What will need to be notified?

To be notifiable, the breach (or suspected breach) must be a serious data breach, ie a breach where there is a real risk of serious harm to the affected individual as a result of the data breach. ‘Serious harm’ includes physical, psychological, emotional, economic and financial harm, as well as harm to reputation.

When considering whether a real riskb of serious harm exists, regard will need to be had to the kind of information concerned, the sensitivity of the information, whether steps have been taken to mitigate the harm and any other relevant matters in the circumstances.

Clearly, any requirement to notify of a breach or suspected breach will cause significant damage to any entity’s reputation and has the potential to impact business.

How can you prepare?

If passed, APP Entities will have 30 days from becoming aware (or of when it ought reasonably to have become aware) of a breach in which to conduct an assessment as to whether a serious data breach has occurred. This means that the appropriate data breach response procedures and a plan must be in place before the Bill comes into effect.

In addition to preparing a data breach response plan, we urge you to review the privacy practices and procedures currently in place in your organisation to ensure that the personal information that is held is held to the highest degree of security and control and to ensure that a potential breach does not occur.

If you would like us to assist you with this review, we can:

• provide you with an internal audit questionnaire for you to complete in relation to your organisation’s interactions with personal information. The questionnaire is designed to get you and your staff thinking about your interactions with personal information, which often extends further than you may first think;
• review your organisation’s existing privacy policy and collection notice to ensure compliance with the Privacy Act and APPs, or otherwise prepare a new privacy policy and privacy collection notice for your organisation; and
• provide you with advice as to how to how to implement your privacy policy and collection notice, and provide recommendations on particular areas of concern arising from your responses to the questionnaire.

Please contact Julia Cameron or Emma Simpson for further information.

This week marks OAIC Privacy Awareness Week. Continue the conversation: #2016PAW