The introduction of a mandatory data-breach notification requirement under the Privacy Act 1988 (Cth) (Act) is fast approaching and will require changes to internal privacy compliance procedures.
The proposed Privacy Amendment (Notifiable Data Breaches) Bill 2016 will introduce mandatory data breach notification provisions for all APP entities, credit reporting bodies, credit providers and file number recipients.
This Bill follows the same general formula expressed in previously lapsed incarnations of the Bill. If passed, an entity that has reasonable grounds to believe that an ‘eligible data breach’ has occurred, will need to make various notifications as soon as practicable after becoming aware of the data breach.
What is an ‘eligible data breach’?
An ‘eligible data breach’ will occur where:
- There is unauthorised access to, or unauthorised disclosure of the information, which a reasonable person would conclude would likely result in serious harm (i.e. physical, psychological, emotional, economic or financial harm) to any affected individuals; or
- Information is lost in circumstances where unauthorised access, or unauthorised disclosure of the information is likely to occur and if that were to occur, a reasonable person would conclude that the access or disclosure would likely result in serious harm to any affected individuals.
Examples of incidents that would require a data breach notification would include a malicious breach of the secure storage and handling of information (e.g. in a cyber security incident), or an accidental loss of information (most commonly of IT equipment or hard copy documents).
Are there any exceptions?
There will be some exceptions to the notification regime if ‘remedial action’ has been undertaken by the entity and as a result of the action the loss of information, or unauthorised access or disclosure would not be likely to result in ‘serious harm’ to the affected individuals.
What are the notification requirements?
Once an entity is aware that there are reasonable grounds to believe that there has been an ‘eligible data breach’, the entity will have 30 days to carry out a ‘reasonable and expeditious assessment’ of the circumstances to confirm this belief. If the entity is satisfied that there are reasonable grounds to believe that an ‘eligible data breach’ has occurred, the entity must as soon as practicable notify the Office of the Australian Information Commissioner.
In addition, there is a requirement to notify individuals to whom the compromised information relates.
Who is responsible for overseas ‘data breaches’?
An entity that has disclosed personal information to an overseas recipient will in most circumstances be accountable for any ‘eligible data breach’ by the overseas entity, even if the ‘eligible data breach’ occurred offshore.
Penalties for contravening these requirements can be as much as $1.8 million for a body corporate.
Once the Bill is enacted, it will be important to review and update your internal privacy compliance policies to ensure that you have sufficient procedures in place to:
- internally escalate data breaches that are identified; and
- to enable you to identify the relevant considerations for determining whether a data breach should be reported.
Good compliance policies will address each of these items in some detail.