From 22 February 2018, mandatory data breach notification will apply to any individual or organisation regulated by the Privacy Act 1988 (Cth). This will affect any businesses with an Australian link and a continued presence in Australia.
Under the new law, if a business is the subject of an ‘eligible data breach’ then if a data breach is likely to result in “serious harm to any individuals to whom the information relates” they must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals.
Prior to the new law, there was no requirement for businesses to notify an individual who ‘may’ be affected by a data breach resulting from misuse, interference and loss of personal information.
The key objective of the data breach notification requirement is to permit individuals, whose personal information had been compromised in a data breach, to take remedial steps to lessen the adverse impact arising from the breach.
Small business operators with an annual turnover of less than $3 million will continue to be exempt from the data breach notification requirement under the Privacy Act. Note that a small business operator providing a health service to individuals and holds health information relating to the provision of health services will be caught by the data breach notification requirements. This will include healthcare providers who maintain information or an opinion about an illness, disability or injury of an individual when providing treatment.
How will a mandatory data breach notification impact your business?
In the event of an ‘eligible data breach’, a business owner must notify the OAIC within 30 days if it has reasonable grounds to believe that an eligible data breach has occurred.
The relevant criteria to assess what amounts to an eligible data breach is:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that a business holds
- there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure of personal information; and
- the business has not been able to prevent the likely risk of serious harm with any remedial action.
‘Serious harm’ is not defined in the Privacy Act. However, in the context of a data breach, the OAIC guidance notice indicates that “serious harm” to an individual may include serious physical, psychological, emotional, financial, or reputational harm. In assessing whether ‘serious harm’ is likely to occur, the organisation should have regard to:
- the kind of information and the sensitivity of the information
- whether the information is protected by any security measures and the likelihood that any of those security measures could be overcome
- the kinds of persons who have obtained, or could obtain, the personal information
- if a security technology or methodology was used and which was designed to make the personal information unintelligible or meaningless to unauthorised persons
- the likelihood that the persons obtaining the information having the intention of causing harm to an individual
- the nature of the harm.
Individuals or a business failing to report an eligible data breach may face penalties of up to $360,000 for individuals and $1.8 million for organisations.
When to notify?
It is not intended that every data breach must be subject to a notification requirement. OAIC has issued voluntary Data Breach Guidelines which sets out examples of when data breach notification may be required. For example:
- a malicious breach of secure storage and handling of information including a cyber security incident involving an organisation using third party providers to maintain its web services with databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside the organisation;
- an accidental loss including loss of IT equipment or hard copy documents containing personal information;
- an organisation mistakenly providing personal information to the wrong person or an individual deceiving an organisation into improperly releasing the personal information of another person
- a negligent or improper disclosure of information including employees disclosing personal information outside the requirements or authorisation of their employment.
How to best manage a notifiable data breach
To avoid a data breach becoming an eligible data breach requiring OAIC notification, a business must actively monitor activities which could potentially give rise to a data breach or data loss and have in place a governance process to assess the implications of a breach and to take appropriate action in the event of a data breach.
OAIC has prepared a guide to assist businesses to prepare for and respond to data breaches in compliance with their obligations under the Privacy Act.
Meridian Lawyers can assist you to understand your privacy obligations and to advise on the compliance with the Notifiable Data Breaches regime and its impact and in developing a data breach response plan.
For further advice please contact our Corporate Advisory Principal Michael Bracken.