The Privacy Amendment (Notifiable Data Breaches) Bill 2017 ( bill) amends the Privacy Act 1988 (Cth) ( Privacy Act) and imposes an obligation on businesses to notify individuals and the Information Commissioner of data breaches. While the introduction of a mandatory data breach notification regime is significant, the threshold for notification is quite high.
When will it take effect?
The notification laws are expected to come into effect within the next 12 months. The bill was passed by both houses of parliament on 13 February 2017 and is currently awaiting Royal Assent.
Who is affected?
All entities that are currently subject to the Australian Privacy Principles ( APP entity) in the Privacy Act, which includes:
Also, if an APP entity has provided personal information to an overseas entity, these notification obligations may still apply as if the APP entity itself held the information.
What are the notification requirements?
An ‘eligible data breach’ is central to this legislation. An eligible data breach happens if:
‘Personal information’ means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not. Common examples may include individuals’ dates of birth, addresses and credit card details.
‘Serious harm’ imposes a fairly high threshold, and is where a reasonable person would conclude that access to, or disclosure of, personal information would be likely to result in serious harm, taking into account a range of specified matters1 including:
The Office of the Australian Information Commissioner has previously considered ‘serious harm’ to include identify theft and financial fraud.2
There are three categories of obligation surrounding an eligible data breach.
Within 30 days of an APP entity suspecting that there may have been an eligible data breach it is obliged to carry out a reasonable and expeditious assessment of whether there in fact has been such a breach.
If an APP entity has reasonable grounds to believe that an eligible data breach has happened, it must notify:
An APP entity is also required to provide such notification if directed to do so by the Information Commissioner.
If an eligible data breach occurs, and the APP entity takes action before the breach results in serious harm to any of the affected individuals, then the breach is deemed to have not been an ‘eligible data breach’ and no notification steps are required.
The APP entity’s notification to the Information Commissioner and the affected individuals must be provided as soon as practicable after the APP entity becomes aware of the breach, and must contain:
What are the consequences of non-compliance?
If an entity or individual does not comply with the requirements of the legislation, they risk facing civil penalties of up to $1.8 million or $360,000 respectively or compensation orders to individuals who have suffered loss or damage as a result of the non-compliance.
What do I need to do?
If these amendments are likely to impact your organisation, we recommend action be taken now to prepare for the commencement of the bill. Such action may include implementing:
We also recommend a whole-of-business approach towards minimising cyber risks and the associated fall-out from a cyber event should be taken. As part of this, companies should consider how their present insurance coverage responds to cyber events and whether obtaining specialised cyber risk insurance coverage is necessary, particularly in light of the impending commencement of the bill.
Download Publication here
Austbrokers Coast to Coast can offer comprehensive solutions for all risks mentioned. Please contact us on 07 5586 9955