Publications - Information Technology
Developments in Privacy Law - Notifiable Data Breaches
February 2018
On 22 February 2018 significant amendments were introduced to the Privacy Act 1988 (Cth) (Privacy Act) which impact the manner in which organisations are to handle personal information. These changes and the manner in which they may affect your organisation are detailed below.
Eligible Data Breaches
The newly introduced Part IIIC of the Privacy Act sets up a scheme for notification of eligible data breaches. An eligible data breach happens if:
(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
(b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
If you have reasonable grounds to believe that an eligible data breach has occurred then you must notify both the affected individuals and the Australian Privacy Commissioner as soon as practicable.
Notification Requirements
A notification statement should include: the identity and contact details of the entity, a description of the eligible data breach, the kind or kinds of information involved in the eligible data breach and what steps the entity recommends that individuals take in response to the eligible data breach.
Under the new legislation, where an entity is affected by an eligible data breach, the Australian Privacy Commissioner has the discretion to direct the entity to prepare and publish a notification statement on the entity’s website.
For data breaches affecting certain categories of information, other mandatory or voluntary reporting schemes may exist. For example, entities might consider reporting certain breaches to: police or law enforcement bodies, the Australian Prudential Regulation Authority (APRA), the Australian Taxation Office (ATO), the Australian Cyber Security Centre (ACSC), the Australian Government Department of Health, or insurance providers.
How does this affect me?
These changes will affect you if your entity receives a Tax File Number (TFN); if your entity is a business or non-profit with an annual turnover of more than $3 million per annum; or if your entity is a business, agency or organisation otherwise required to comply with the 13 Australian Privacy Principles set out in Schedule 1 of the Privacy Act. This means that most entities are affected by these changes.
Entities should prepare a Data Breach Response Plan which will provide an efficient framework for managing a data breach, and also help your organisation meet its obligations under the Privacy Act. The response plan should outline your entity’s strategy for containing, assessing and managing eligible data breaches from start to finish.
Failure to comply with the new notification requirements can attract civil penalties of up to $2.1 million.
Where can I find more information?
The Office of the Australian Information Commissioner has made guidance material available at www.oaic.gov.au, which includes a draft Eligible Data Breach Statement.
If you require further assistance with developing a Data Breach Response Plan, or other privacy tools for your organisation, please contact us.
Eligible Data Breaches
The newly introduced Part IIIC of the Privacy Act sets up a scheme for notification of eligible data breaches. An eligible data breach happens if:
(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
(b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
If you have reasonable grounds to believe that an eligible data breach has occurred then you must notify both the affected individuals and the Australian Privacy Commissioner as soon as practicable.
Notification Requirements
A notification statement should include: the identity and contact details of the entity, a description of the eligible data breach, the kind or kinds of information involved in the eligible data breach and what steps the entity recommends that individuals take in response to the eligible data breach.
Under the new legislation, where an entity is affected by an eligible data breach, the Australian Privacy Commissioner has the discretion to direct the entity to prepare and publish a notification statement on the entity’s website.
For data breaches affecting certain categories of information, other mandatory or voluntary reporting schemes may exist. For example, entities might consider reporting certain breaches to: police or law enforcement bodies, the Australian Prudential Regulation Authority (APRA), the Australian Taxation Office (ATO), the Australian Cyber Security Centre (ACSC), the Australian Government Department of Health, or insurance providers.
How does this affect me?
These changes will affect you if your entity receives a Tax File Number (TFN); if your entity is a business or non-profit with an annual turnover of more than $3 million per annum; or if your entity is a business, agency or organisation otherwise required to comply with the 13 Australian Privacy Principles set out in Schedule 1 of the Privacy Act. This means that most entities are affected by these changes.
Entities should prepare a Data Breach Response Plan which will provide an efficient framework for managing a data breach, and also help your organisation meet its obligations under the Privacy Act. The response plan should outline your entity’s strategy for containing, assessing and managing eligible data breaches from start to finish.
Failure to comply with the new notification requirements can attract civil penalties of up to $2.1 million.
Where can I find more information?
The Office of the Australian Information Commissioner has made guidance material available at www.oaic.gov.au, which includes a draft Eligible Data Breach Statement.
If you require further assistance with developing a Data Breach Response Plan, or other privacy tools for your organisation, please contact us.
