Recent data breaches of large-scale entities such as Ashley Madison and the Australian Red Cross Blood Service have highlighted the difficulties organisations face in keeping personal information secure.
The consequences for entities who do suffer such a breach can be extreme: simply look at the fallout from the Ashley Madison saga, which resulted in substantial fines and compensation payouts, not to mention significant reputational damage.
However, many organisations are unaware of upcoming changes to the Privacy Act. From 22 February 2018, entities will have duties to disclose to individuals when their personal information may have been compromised in a data breach.
Who must comply with the new regime?
The entities who must comply with the mandatory disclosure regime are those with an annual turnover of more than $3 million. Understandably, this applies to a large amount of businesses, government agencies and other organisations across Australia in a variety of different fields and industries.
When does the obligation to notify arise?
A data breach occurs when personal information is disclosed to someone not authorised to access it. Typical data breaches include hacks of databases, the loss of devices containing personal information and mistakenly providing personal information to the wrong person.
Notification obligations arise as soon as the particular entity is aware of reasonable grounds for believing that there has been a data breach which is likely to result in serious harm.
There is no obligation to notify of an eligible data breach where an entity has taken remedial action which will prevent the likely risk of serious harm. It is therefore important for entities to respond quickly to data breaches, as they may relieve themselves of their disclosure obligation where appropriate action is taken.
What constitutes serious harm?
‘Serious harm’ is not a limited definition, and can extend to physical, psychological, emotional, financial or reputational harm (covering a wide range of matters including identity theft, financial loss, threats and loss of business or employment opportunities).
What is the process required for notification?
Once an eligible data breach has occurred, the entity must prepare a statement that includes the following information:
- the identity and contact details of the entity;
- a description of the eligible data breach;
- the kind of personal information concerned; and
- recommendations about the steps affected individuals should take.
The statement must be completed as soon as practicable and given to the affected individuals and the Office of the Australian Information Commissioner. The OAIC has prepared a draft, pro forma statement which can be found here.
What should you be doing?
The changes are right around the corner, so it is important for you to make sure you have appropriate policies and procedures in place that you are actively implementing. If you don’t think a breach could happen to you, think again. A recent breach exposed the records of 50,000 Australian workers, including employees of the Department of Finance, the Australian Electoral Commission and AMP among others, and was caused by the mistake of a third party contractor.
If you need assistance in updating or adopting the right policy, please contact the Corporate and Commercial Team. Be wary, as penalties may apply to those organisations which do not comply with their notification requirements.
For more information contact the Corporate and Commercial Team: