The long-awaited Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the data breach law) has been passed by both houses of the Parliament.

The data breach law creates a reporting obligation when an 'eligible data breach' occurs. The reporting obligations apply to certain Australian Privacy Principle entities, credit reporting bodies, credit providers and tax file number recipients, who are generally subject to existing privacy laws. The aim behind the data breach law is to improve the privacy protection of Australians in the event of a data breach without creating an unreasonable regulatory burden for businesses.

While the final version of the data breach law is pending royal assent, here is a summary of what can be expected.

What is an eligible data breach?

An 'eligible data breach' occurs if there is unauthorised access, disclosure or loss of personal information which is likely to result in serious harm to any of the individuals to whom the information relates.

The access, disclosure or loss will not be an eligible data breach where remedial action is taken in some circumstances. For example, a disclosure of information is not, and is taken never to have been, an eligible data breach if:

  • action is taken by the entity before the disclosure results in serious harm to the individual; or
  • a reasonable person would conclude that the disclosure would not be likely to result in serious harm.

The data breach law sets out specific factors to be considered when determining whether serious harm would or would not be likely. These factors include the nature and sensitivity of the information, whether the information is protected by one or more security measures, and the nature of the harm.

When is notification required?

Notification obligations are triggered when an entity has reasonable grounds to believe that there has been an eligible data breach of the entity.

What if there is only a suspicion of a breach?

Where there is a reasonable suspicion that an eligible data breach has occurred, but there is not enough information to have reasonable grounds to believe that there has been an eligible data breach considering all the circumstances, the entity must carry out a 'reasonable and expeditious assessment'. Entities must take reasonable steps to ensure that this assessment is completed within 30 days of the entity becoming aware of the grounds of suspicion.

Who must be notified?

These obligations are to:

  1. Prepare a statement and notify the Australian Information Commissioner

A statement relating to the breach must be prepared as soon as practicable describing the breach, identifying the information affected, and recommending the steps that individuals should take in response to the eligible data breach.

  1. Notify affected individuals

The data breach law imposes a new obligation, setting out when and how entities should disclose an eligible data breach to affected individuals. This extends to notifying individuals who have not only had their information compromised but also who are at risk from their information being compromised through an eligible data breach. Entities can notify affected individuals using their normal mode of communication, or if this is not practicable, the entity must publish a copy of the statement of their website (if any), and take reasonable steps to publicise the contents of the statement.

In each case, this must be done as soon as practicable after having prepared the statement.

Consequences of non-compliance

The new data breach laws form part of the existing privacy enforcement framework in Australia. In particular, the Commissioner retains its investigatory powers under the Privacy Act 1988 in relation to these new obligations. The Commissioner can, therefore, investigate possible noncompliance with the mandatory notification scheme, and apply to a court to impose a civil penalty in serious cases.

When will it take effect?

The bill is currently pending royal assent. The government has not yet set a date for when the data breach law will take effect, but it is likely to be within 12 months.

What should we be doing now?

At this stage, we recommend ensuring the appropriate people in the organisation are notified of the upcoming changes. There will need to be a review of processes and procedures, including the development of compliance programs relevant to breach identification, investigation and reporting.

We will be providing more information about the specific requirements for Australian Credit Licensees and Australian Financial Services Licensees in the coming weeks. In the meantime, please contact our Melbourne of Sydney office to discuss how we may assist you with the new laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.