In recent years there have been repeated controversies over illegal access by unauthorised persons to the private data that businesses gather about or host for their customers.
These so-called ‘data breaches’ are attracting increasing government attention. On 13 February 2017, the Australian Government passed the new mandatory data breach notification scheme (Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth)). This Bill amends the Privacy Act 1988, and is expected to commence 12 months after Royal Assent.
If you are a business with an annual turnover of more than $3 million, you may be affected and we encourage you to seek independent legal advice on how this may impact on your business including what you need to do to comply with these new requirements.
The following information may assist you in finding out more about whether the new legislation will affect your business. It is not legal advice or opinion.
- The mandatory data breach notification scheme applies to all entities who are subject to the existing requirements under the Privacy Act and experience an ‘eligible data breach’.
- An eligible data breach is where there is unauthorised access, unauthorised disclosure or loss of personal information that a reasonable person would conclude is likely to result in serious harm to individuals.
- Where an entity has reason to suspect that an eligible data breach may have occurred, the entity is required to undertake a reasonable assessment of the circumstances.
- If an entity has reasonable grounds to believe they have experienced an eligible data breach, the entity must notify the Information Commissioner and affected individuals.
- The entity has flexibility to notify affected individuals directly or, if that is not practicable, to publish an online notice about the eligible data breach.
- Failure to comply with an obligation included in the Bill will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act.
- This will engage the Commissioner’s existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. This includes the capacity to undertake Commissioner initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.
- In the case of serious or repeated non-compliance, the Commissioner can also apply to a court to impose a civil penalty. (Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1.8m for bodies corporate.)
What happened before?
Currently, businesses are subject to privacy protections which deal with serious data breaches under the Privacy Act.
The Australian Privacy Commissioner has also established a voluntary data breach notification scheme and published guidelines about appropriate data breach notification practices. However, the Commissioner is of the view that data breaches have been underreported in Australia.
Other sources of information
The above information was sourced from the relevant Minister’s Second Reading Speech and Explanatory Memorandum to the Bill. Further information about the new legislation is available on the Australian Government website.
The Australian Privacy and Information Commissioner has stated that he intends to provide additional guidance over the next 12 months, and events hosted through the OAIC’s Privacy Professionals Network.
Has your business been impacted by a data breach? What’s your opinion of the notification scheme? Share your ideas and start a conversation by leaving a comment below.