The Privacy Act 1988 (the Act) was amended on 22 February 2018 to place new obligations on entities in responding to data breaches of personal information. The Privacy Amendment (Notifiable Data Breaches) Act 2017 introduced the Notifiable Data Breaches scheme under Part IIIC of the Act, requiring certain entities to notify both the Australian Privacy Commissioner (Commissioner) and affected individuals if an eligible data breach occurs, with large penalties for non-compliance.

Who has an obligation to notify in the case of breach?

The entities required to notify in the case of breach fall under three main categories:

  1. Entities that have obligations to protect the personal information they hold under Australian Privacy Principle 11 of the Act (APP Entities):
    • Australian government agencies;
    • businesses and non-profits with annual turnover of more than $3 million;
    • small businesses with less than $3 million annual turnover that, amongst other things, discloses personal information about another individual to anyone else for a benefit, service or advantage.
  1. Credit reporting bodies and credit providers.
  2. Entities that are in possession or control of a record that contains Tax File Number (TFN) information, which is information that connects a TFN with the identity of a particular individual, such as:
    • State and Territory agencies; and
    • most small businesses in their capacity as employers.

What is an eligible data breach?

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable. An eligible data breach of personal information can occur in two ways. There must either be:
  1. unauthorised access to or disclosure of personal information; or
  2. the loss of personal information in circumstances where unauthorised access or disclosure is likely to occur.

In both cases, a reasonable person must consider the breach as “likely to result in serious harm” to the individuals to whom the information relates in order for it to constitute an eligible data breach. While the Act does not define “serious harm,” it lists the matters to consider in determining whether serious harm is likely to result, including the kind of information, the sensitivity of the information and the security measures the information is protected by, if any.

A breach is not taken to be an eligible data breach and therefore does not need to be notified, if after the data breach:

  1. the entity takes action in relation to the access or disclosure before the access or disclosure results in any serious harm to the relevant individuals has occurred; and
  2. as a result of that action, a reasonable person would conclude that the access or disclosure would not be likely to result in any serious harm to any of those individuals.

So, you think you may have to notify. What do you do next?

  1. Assess a suspected eligible data breach

If there is reason to suspect an eligible data breach, an entity must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the circumstances amount to a breach. This assessment must occur within 30 days after the entity becomes aware of any reasonable grounds to suspect a breach.

  1. Notify the Commissioner of an eligible data breach

As soon as an entity becomes aware that there are reasonable grounds to believe there has been a breach, it must prepare for the Commissioner a statement setting out specific information listed in the Act such as the identity and contact details of the entity and the kind of information accessed or disclosed. In addition, the statement must contain recommendations about the steps that individuals should take in response to the breach.

  1. Notify affected individuals of an eligible data breach

In addition to notifying the Commissioner, an entity must notify all individuals to whom the data breach relates and also all individuals who are at risk from the breach by informing them of the contents of the statement given to the Commissioner. If it is not practicable for an entity to notify these individuals, it must instead publish a copy of the statement on its website and take reasonable steps to publicise the contents of the statement.

What does this mean for Australian businesses to whom the changes apply?

Non-compliance with the Act can see companies face civil penalties of up to $2.1 million and possibly damages for loss to the affected individuals. In addition, data breaches may have ramifications beyond financial penalties, affecting customers’ confidence in and the reputation of a business.

To minimise the risk of potential data breaches or ensure effective management if any occur, businesses should create or update their data breach response plans to comply with the Notifiable Data Breaches scheme. It is important for businesses to clearly delegate the roles and responsibilities of staff when a breach occurs to facilitate a quick and effective response. Businesses with obligations under the Act may also wish to consider the purchase of appropriate insurances to protect in the event of a breach, however, this is a commercial matter for each business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.