On 23 February 2018, amendments to the Privacy Act 1988 (Cth) (the Act) introducing mandatory data breach notification laws took effect. In this article, Richard Suters, Principal of of our Corporate and Commercial group, considers the impact of the new privacy laws and how businesses should respond to an eligible data breach.
What are the new laws?
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) amended the Act to introduce new privacy laws regarding the mandatory notification of certain data breaches. The new laws require ‘APP Entities’ to notify the Office of the Australian Information Commissioner (the OAIC) of any ‘eligible data breaches’. The APP Entity may also be required to report to any individuals who have been affected by the breach.
Do these laws apply to me?
The new laws apply only to APP Entities. APP Entities are those organisations and agencies that are required to comply with the Act and, in particular, the Australian Privacy Principles. If your organisation:
- is a business or not-for-profit organisation with an annual turnover of $3,000,000.00 or more; or
- provides health services to individuals; or
- trades in personal information; or
- is a contracted service provider for a Commonwealth contract; or
- is a credit reporting body;
it is likely to be an APP Entity and subject to the new laws. It must also comply with the other provisions of the Act.
What is an ‘eligible data breach’?
A data breach under the Act will occur when personal information about an individual is the subject of unauthorised access, unauthorised disclosure, or is lost and unauthorised access or unauthorised disclosure to that information is likely to occur as a result. A data breach will become an eligible data breach if a reasonable person would conclude that the breach would be likely to result in ‘serious harm’ to the individual to which the information relates.
What is serious harm?
Although the concept of ‘serious harm’ has not been defined, the explanatory memorandum to the bill states that it could include serious “physical, psychological, economic and financial harm, as well as serious harm to reputation and other forms of serious harm…”. Until the courts have the opportunity to provide guidance on the meaning of ‘serious harm’, we can be guided by certain relevant factors such as the sensitivity of the information, whether the information was protected by one or more security measures and who has actually obtained or accessed the information.
What are the consequences of an ‘eligible data breach’?
If an APP Entity is aware of reasonable grounds to believe there has been an eligible data breach, it is required to undertake a reasonable and expeditious assessment within 30 days to ascertain whether a relevant breach has in fact occurred.
If an APP Entity determines that there has been an eligible data breach, it is required to draft a statement identifying the name and contact details of the entity, a description of the breach, the kinds of personal information concerned, and recommendations about the steps the affected individuals should take in response to the breach. This statement must be provided to the OAIC and the APP Entity must either notify the affected individuals of the content of that statement or publish the statement publicly.
Failure to comply with the notification requirements may result in investigation and civil penalties of up to $2.1m for a corporation.
Can a breach be remedied?
If personal information is subject to unauthorised access or unauthorised disclosure, an APP Entity may be able to take remedial action to prevent that breach becoming an eligible data breach. Provided the APP Entity takes remedial action in relation to the access or disclosure and does so before it results in serious harm to any of the individuals to which that information relates, the access or disclosure is not an eligible data breach.
This exemption applies so long as the remedial action results in a reasonable person concluding that the access or disclosure would not be likely to result in serious harm to those individuals affected by the breach.
This article was co-written by Litigation Lawyer, Scott Homan.
This article is not legal advice. It is intended to provide commentary and general information only. Access to this article does not entitle you to rely on it as legal advice. You should obtain formal legal advice specific to your own situation. Please contact us if you require advice on matters covered by this article.