You'll soon have to inform the Office of the Australian Information Commissioner and any potentially affected individuals of an "eligible data breach".
The Privacy Amendment (Notifiable Data Breaches) Act 2017made its way through both houses of Parliament with bipartisan support and received Royal Asset on 22 February 2017. This will mean that, from 23 February 2018 (or earlier if a date is fixed by proclamation), the Privacy Act 1988 (Cth) will include a mandatory data breach notification scheme.
What you need to do
Organisations and Federal agencies subject to the Privacy Act (APP Entities) should take steps now to ensure that their practices and procedures will enable them to meet the new obligations to which they will be subject under the amended legislation.
The mandatory data breach notification scheme
The mandatory data breach notification scheme being introduced will require APP Entities to promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an "eligible data breach".
The underlying purpose of the scheme is to ensure that individuals can take remedial steps in the event that their personal information is compromised.
When does the notification obligation arise?
The amended Privacy Act will require APP Entities to provide notice as soon as practicable to the OAIC and affected individuals where there are reasonable grounds to believe that an "eligible data breach" has occurred (unless an exception applies). Relevantly:
- a data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, leaving the information on the bus);
- an eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure;
- serious harm, while undefined, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation; and
- serious harm will be likely if such harm is "more probable than not" having regard to a list of relevant matters to be included in Part IIIC. The matters include the sensitivity of the information, any security measures taken (such as encryption) and how easily those security measures could be overcome (for example, if the encryption key has also been accessed).
This notification obligation will involve at least a two-step process. First, the APP Entity must prepare a statement containing certain prescribed information about the data breach and provide it to the OAIC. The APP Entity must then take steps to notify the affected individuals. The actual steps required will depend on the circumstances, but will usually include sending the statement to the individual via the usual means of communication between the APP Entity and individual.
If an APP Entity only has reasonable grounds to suspect that an eligible data breach has occurred, the notification obligation will not arise, However, the APP Entity will be required by the new legislation to complete a "reasonable and expeditious" assessment into the relevant circumstances within 30 days. Importantly, shutting one's eyes will not allow APP Entities to avoid the requirements of the Privacy Act.
Exceptions to the data breach notification requirement
Various exemptions to the notification requirement will be included in the amended legislation.
Perhaps the most interesting exception is that a notification will not need to be given if the APP Entity takes remedial action before any serious harm is caused by the breach.
This exemption demonstrates the value of early detection and action. Importantly, the ability of a company to detect a data breach at the first available opportunity and take action in respect of it will be a function of the organisation's preparedness for such an occurrence.
In order to be properly prepared, it is likely that a prudent organisation will have in place detailed policies and procedures which outline the steps that are to be taken in response to a serious data breach, regardless of whether that breach has occurred as a result of inadvertence on the part of the organisation and its employees (eg. as a result of personal information being lost) or following a co-ordinated attack by hackers.
A failure to comply with the notification obligations will fall under the Privacy Act's existing enforcement and civil penalty framework. Accordingly, APP Entities may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties.
What should you do
APP Entities have less than 12 months to prepare for the introduction of the mandatory data breach notification scheme. That time should be used wisely by APP Entities to:
- audit their current information security processes and procedures to ensure they are adequate (prevention will soon be much more palatable than the cure); and
- prepare a data breach response plan (or update their current plan) so as to enable the APP Entity to respond quickly, efficiently and lawfully to an actual or suspected data breach.
The OAIC currently operates a voluntary data breach notification scheme and has published various resources to assist APP Entities with their handling of data breaches. Much of that guidance will assist APP Entities in ensuring that they comply with the mandatory data breach notification scheme and it is expected that the OAIC will release new or updated guidance over the coming months. However, further steps are likely to be necessary in order to ensure that your organisation understands the impact of the scheme and to make the necessary preparations for its introduction.
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.