Privacy compliance will become even more important for all companies in Australia now that the mandatory data breach notification scheme has been enacted.
From 22 February 2018, certain data breaches (known as “eligible data breaches”) will need to be notified to the Australian Privacy Commissioner and affected individuals. Previously, notification of data breaches was optional.
Given the dramatic rise in data breaches from hacking or poor systems and processes, companies will need to be significantly more vigilant about their data management and breach reporting practices.
The new obligations
New amendments to the Privacy Act 1988 (Cth) introduce a requirement for private sector organisations and Commonwealth government agencies to notify “eligible data breaches”.
An organisation will have only thirty days to conduct an assessment of whether an eligible data breach has occurred after becoming aware that there are grounds to suspect that there has been such a breach.
If an organisation has reasonable grounds to believe that an eligible data breach has occurred, it must promptly prepare a statement which includes, amongst other things, a description of the breach and the kinds of information affected and notify the Privacy Commissioner and affected individuals as soon as practicable.
What is an eligible data breach?
An eligible data breach occurs where:
- there is unauthorised access to, or unauthorised disclosure of, personal information held by the organisation, or personal information is lost in circumstances where access to, or unauthorised disclosure of, the information is likely to occur; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
The key question is therefore whether the data breach would be likely to result in serious harm to the affected individuals. In assessing whether the access or disclosure would be likely to result in serious harm, the organisation is required to have regard to a number of factors, including:
- the kinds of information affected and its sensitivity;
- whether a security measure (such as encryption) was applied in relation to that data;
- the likelihood that the security measure could be defeated (including whether the persons who are likely to receive that data have the ability to circumvent the security measure, such as cracking the encryption key);
- the nature of the potential harm to affected individuals; and
- any other relevant matters.
However, in cases where remedial action has been taken (such as when an individual who receives a misdirected email agrees to destroy it without reading it) and a reasonable person would conclude that the remedial action would mean that the access, disclosure or loss of the information would not be likely to result in serious harm to any affected individuals as a result, then the notification obligations would not apply. In short, if you can remedy the breach quickly enough, so that no one is likely to be harmed, you would not need to notify.
Data held by offshore service providers
The new mandatory data breach notification obligations may also apply where the data which is the subject of the data breach is held by a service provider outside Australia.
Under the Australian Privacy Principles, personal information may be disclosed outside Australia if the Australian organisation has taken “reasonable steps” to ensure the offshore recipient handles that information in accordance with the Australian Privacy Act. Those reasonable steps typically include entering into a binding contract with the offshore recipient that imposes detailed privacy and information security obligations on that offshore recipient. With the advent of the new data breach notification laws, these contractual obligations should indicate an obligation on the recipient to notify you of any suspected data breach and to assist your investigation of it.
Where an organisation in Australia has disclosed personal information to an offshore recipient, an eligible data breach that occurs offshore in relation to that transferred personal information may, in some circumstances, be deemed to be an eligible data breach that affects the organisation in Australia. This will often be the case for organisations that hold personal information in cloud computing platforms that are located outside Australia.
Penalty for failure to report a breach
A failure to report an eligible data breach will be deemed to be an interference with the privacy of the individuals affected by the eligible data breach. This is a breach of the Privacy Act. This means that a failure to notify affected individuals of an eligible data breach could be the subject of a complaint to the Privacy Commissioner.
Where the failure to make a notification of the eligible data breach amounts to a serious or repeated interference with privacy, the Privacy Commissioner has the power to seek civil penalty orders of up to A$2.1 million in the case of companies.
Who must comply
In line with the general provisions of the Privacy Act 1988 (Cth), the mandatory data breach obligations will apply to private sector organisations with an annual turnover of greater than A$3 million and to Commonwealth government agencies. The new law will mean that these entities will need to be prepared to respond to a data breach, including to assess whether an eligible data breach has occurred, and to promptly comply with their notification obligations if necessary.
How we can help
Norton Rose Fulbright has developed three fixed-price packages that can assist you to comply with the new laws. You can find out more – and chat to Parker the Data Privacy Chatbot about the new data breach notification scheme – here.
* * *
To subscribe to posts from Data Protection Report, please click here.