Mandatory data breach reporting requirements commenced on 22 February 2018. Organisations that are bound by the Privacy Act 1988 (Cth) (Privacy Act) need to report certain data breaches to the affected individual(s) and the Australian Information Commissioner.
What is a data breach?
Personal information is breached when it is accessed by someone who is not authorised to access it (e.g. hacking), it is disclosed to someone who is not authorised to have it (e.g. mistaken publication by the organisation), or, in certain cases, when information is simply lost or stolen (e.g. a stolen laptop or a misplaced physical file).
Breaches may include when:
- a database containing personal information is hacked or stolen
- a computer, phone or other device containing customer information is lost or stolen; or
- personal information has mistakenly been provided to the wrong person
Not all data breaches will be notifiable.
What is a notifiable breach?
A breach that is likely to result in serious harm to an individual will need to be notified.
Serious harm is broad and can include physical, psychological, emotional, economic and financial harm as well as serious harm to reputation.
When determining whether a data breach is likely to result in serious harm, factors to consider include the kind and sensitivity of the information concerned, who has or could have the information, and how secure the information is (e.g. the standard of encryption).
What you need to do now
If your organisation is covered by the Privacy Act, you must:
1. Review your data collection, use and disclosure practices to ensure you are meeting your present obligations.
2. Have the systems in place to assess suspected and actual data breaches and take action in accordance with your organisation’s obligations under the upcoming mandatory notification regime.
3. Have established procedures for:
- assessing, within 30 days of developing a suspicion of a breach, whether or not a reasonable person would conclude that the breach is likely to cause serious harm to any of the individuals to whom the information relates; and
- if you conclude that there the breach is likely to cause serious harm:- preparing a statement setting out your organisation’s identity and contact details, a description of the nature of the breach and the kind of information concerned, and the steps you recommend the individual should take in response to the breach; and- taking whatever steps are reasonable in the circumstances to notify the affected individuals and the Australian Information Commissioner of the statement as soon as possible.
4. Train your staff. Any data breach procedure is effective only to the extent it is known, understood and acted upon by the people within your organisation who might come into contact with suspected data breaches in day-to-day operations. A crucial part of an effective breach response procedure is ensuring all key people know how to recognise a potential data breach, and are trained in exactly what to do in particular situations.
The new law recognises that swift, decisive action following a notifiable data breach can prevent serious harm to individuals. If a breach is likely to result in serious harm to an individual, the organisation should take remedial action immediately. For example, if a device containing personal information is lost, the organisation may remotely erase the device before any unauthorised access to the information has occurred.
If the organisation takes remedial action before the breach results in serious harm, and a reasonable person would conclude that, as a result of this remedial action, serious harm to individuals is not likely, then notification of the breach is not required. In these circumstances, the breach is not (and is taken never to have been) a notifiable data breach.
We’re here to help
We are experienced in advising organisations as to their privacy obligations, and working with clients to deal with data breaches (and suspected data breaches).
To mark Privacy Awareness Week, Rigby Cooke Lawyers are offering businesses a complimentary one-hour privacy risk consultation* to assist them in understanding their privacy compliance obligations. Check out our ‘Are you at privacy risk?’ page for more information.
In addition, businesses can download our ‘Are you privacy compliant?’ checklist, to help better understand the basics of protecting personal information.
*Subject to limited availability
- Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable (e.g., name, address, email address, credit card information).
- Sensitive information includes information or an opinion about an individual’s race, political opinions, religious beliefs, membership of a professional or trade association, sexual orientation that is also personal information, and health and genetic information about an individual.
- Generally speaking, government agencies and entities that turnover more than $3 million are required to comply with the NDB scheme, but entities with a lower turnover may also be required to comply, including if they provide a health service, are related to an organisation that has a turnover of more than $3million, trade in personal information, provide services to the Commonwealth under a contract or are a credit reporting body.