The passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016 establishes a mandatory data breach notification scheme in Australia.
“I look forward to working with government, business and consumer groups during transition to this new scheme; which will help protect the privacy rights of individuals, and strengthen community trust in businesses and agencies,” said Australian Information and Privacy Commissioner Timothy Pilgrim.
Most small businesses (defined as those with an annual turnover of $3 million or less) do not fall under the Privacy Act and consequently do not have to comply with the new reporting requirements.
However, a small business is covered by the Act if it provides health services to individuals or holds any health information except in an employee record; discloses personal information about other individuals to anyone else for a benefit, service or advantage; provides a benefit, service or advantage to collect personal information about other individuals from anyone else; is a contracted service provider for a Commonwealth contract; is a credit reporting body; or if it is a body corporate related to another that carries on a business with a turnover of more than $3 million.
As a result of the small business exemptions, only about 6 percent of Australian businesses will be required to report data breaches.
Since the Privacy Act has been in force for a number of years, you really should already know whether your business is subject to its provisions. If it is, here are some key points about the new disclosure rules.
A data breach is deemed to have occurred in the event of “unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure”.
Personal information is information about an identified or reasonably identifiable individual.
A data breach is reportable to the Australian Information Commissioner and the individuals affected if “a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure”, and if that reasonable person would conclude serious harm is “more probable than not”.
So if remedial action has been taken that means the unauthorised access or disclosure is not likely to result in serious harm to the affected individuals, reporting may not be necessary.
There is no requirement to notify all affected individuals, only those with a likely risk of serious harm.
If a business or organisation has reasonable grounds to suspect a reportable breach has occurred, it must make a “reasonable and expeditious assessment” of whether it is reportable, normally within 30 days.
If multiple organisations hold the same data, for example under an outsourcing agreement, and a reportable breach occurs, only one of them is required to make a report. There is no requirement that any particular one of those organisations conducts the necessary assessment - but if none of them do, they may all be held to have broken the law.
Where businesses or other organisations fail to meet the new reporting requirements, the Commissioner can impose less severe penalties such as public or personal apologies, compensation payments or enforceable undertakings. Civil penalties – up to $360,000 for individuals and $1,800,000 for bodies corporate – could be sought if there has been a serious or repeated non-compliance with mandatory notification requirements.
“My office will be working closely with agencies and businesses to help prepare for the scheme's commencement. This will include providing additional guidance over the next 12 months, and events hosted through the OAIC’s Privacy Professionals Network,” said Pilgrim.
In the meantime, agencies and businesses should continue to take reasonable steps to make sure personal information is held securely – including being equipped with a clear response plan in the event of a data breach."
Like most legal matters, the breach reporting requirements are not simple, so if you think you may be subject to them it could be worth seeking expert advice before an incident occurs.
There are specialists in the area, including Information Integrity Solutions (IIS), which has former Privacy Commissioner Malcolm Crompton as its managing director.
IIS has published a checklist of steps to be taken in the event of a suspected privacy breach, as well as a case study describing how one of its clients dealt with an external hack.
The Office of the Australian Information Commissioner is expected to update the document, Data breach notification - A guide to handling personal information security breaches, to reflect the newly-passed Privacy Amendment (Notifiable Data Breaches) Act.