This year saw the introduction of the new mandatory data breach notification obligations under the Privacy Act 1988 (Cth). In this short article our business law director, Nadia Sabaini, explains what these obligations mean for businesses and how to comply with the new requirements.
What has changed?
The Privacy Act 1988 (Cth) was amended to introduce mandatory data breach notification requirements which took effect on 22 February 2018. It is important to note that the Act already included an obligation for businesses to take measures to protect the privacy and security of information. However, these laws now provide an express requirement to give notice of a data breach to the Information Commissioner and to affected individuals which can include making public disclosure of the event. We have noticed that insurers and policy advisors are now reviewing compliance by businesses of these new laws in their policy documents.
Who is affected?
We have prepared an easy infographic to show who is affected and what information is the subject of the notification requirements:
| Business affected | Information subject to notification obligations |
| “APP Entities” – being any businesses with a gross turnover exceeding $3m per year | “Personal information” – being information or an opinion about an individual, which might include contact details and personal records |
| “Credit Providers” – being any business which (regardless of turnover) provides credit, or goods or services on credit terms, exceeding 7 days | “Credit eligibility information” – being information regarding an individual’s creditworthiness including credit reports obtained from a credit reporting body |
| “Credit Reporting Bodies” – being businesses which collect credit data and provide reports | “Credit eligibility information” |
| “Tax File Number Recipients” – being any business which receives the tax file number of an individual | “Tax file number information” – being information that records a tax file number as connected to an individual |
What should businesses do to be compliant?
It is recommended that business affected by these changes review their procedures and update their privacy policy to include measures they will implement for data security, including a response plan in case of a data breach.
The Office of the Australian Information Commissioner (OAIC) has issued some useful guides to help businesses understand their obligations regarding data security and prepare a response plan. However, if you haven’t reviewed your privacy policy in some time, this would be an excellent occasion to consult a solicitor, as a business to which these obligations apply will have other requirements under the Act, and it is important to check that these have been addressed.
What happens if a data breach occurs?
Generally, if a data breach occurs to an affected business, the Act requires the business to, as soon as possible after becoming aware of the breach:
- notify the OAIC by lodging a statement regarding the breach via the form available online at the OAIC website; and
- provide a copy of the statement to the individual/s pertaining to whom the information relates, or who are otherwise at risk; or if that is not practicable, place a copy of the statement on the business’ website and take reasonable steps to publicise the contents of the statement.
The statement must contain:
- the identity and contact details of the business which suffered the data breach;
- a description of the data breach which the business believes may have occurred;
- the kind of information which may have been accessed; and
- recommendations about the steps that any affected individuals concerned should take in response.
Does this apply to all data breaches?
It is essential to understand that these obligations do not apply to all data breaches, importantly:
- The notification obligations only apply to the unauthorised access or loss of the kind of data that is the subject of these provisions for the relevant business as shown in the above infographic. For example, an accountant who holds client tax file numbers on record but is not an APP entity or credit provider does not need to report a breach unless he or she reasonably believes the hacker gained access to the tax file number information.
- The notification obligations only apply if the unauthorised access or loss of the information is likely to lead to serious harm to the person to whom the information relates. There is no definition for what may be serious harm. It is something that needs to be considered having regard to a number of factors listed in the Act, including the nature of the information, whether any one or more security measures protect the information, and the kind of the harm that could be caused.
- The obligation to notify may be avoided if, before any severe harm occurs, the business can implement remediation procedures which lead to a reasonable conclusion that the subject individual/s are no longer at serious risk of harm.
A business who believes a notifiable data breach has occurred is required to conduct an assessment of the breach within 30 days of becoming aware of the breach. Remediation steps should be implemented immediately according to the IT provider’s recommendations. Beyond this, it is clear that notification of a data breach can have severe consequences for a business, but so can failing to disclose if required. Therefore, we recommend that businesses who suffer a data breach seek legal advice as soon as possible after assessing the breach to determine if there is a need to notify and ensure that the requirements of the Act are followed.
Find out more about the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme here.
Liability limited by a scheme approved under Professional Standards Legislation.
The article was authored by a former team member while they were under the employ of Bennett & Philp Lawyers.