February 8, 2018
Mandatory Breach Notification – The Ins and Outs
In our previous update we introduced the Privacy Amendment (Notifiable Data Breaches) Act 2017 (“the Breach Act”) and its amendment to the Privacy Act 1988 (Cth). The Breach Act will come into effect on 22 February 2018. Within this article, we will delve a little deeper into the Breach Act, and what it means for you and your business.
Will the breach act apply to me / us?
The Breach Act modifies the existing Privacy Act. So, if you are an organisation that falls under the purview of the Privacy Act, the Breach Act will also apply to you.
The Privacy Act applies to organisations (including individuals, body corporates, partnerships, any other unincorporated association or a trust) that has an annual turnover of $3 million or more. However, if an organisation has a turnover less than $3 million and provides health services, or collects or provides personal information (among other things), they will still fall under the Privacy Act, and have to comply with it.
So the privacy act applies, what about the breach act? when does that apply and what does it cover?
The Breach Act amends the Privacy Act to mandate notifiable data breaches. In short, the law has been introduced as an incentive to protect and secure data and personal information and to combat an increasing number of data breaches.
A data breach will occur in your organisation if: -
- There is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates. This is determined by reference to a number of ‘relevant matters’ like the sensitivity of the information, the kind of information etc.
Once a data breach has occurred within your organisation, the Breach Act mandates that your organisation must give a notification if: -
- There are reasonable grounds to believe that an eligible data breach has happened; or
- You are directed to do so by the Commissioner.
Also, if you suspect that a data breach has occurred (without confirmation), the Breach Act provides that you must carry out a reasonable and expeditious assessment of the suspected breach within 30 days.
if a breach occurs, what do i have to do?
So, for example, if a data breach occurs (or is suspected to have occurred) in your organisation post 22 February 2018 the Breach Act directs:
- That if a breach is suspected to have occurred, an assessment must be carried out expeditiously and within 30 days;
- If a breach has occurred, prepare a statement to be provided to the Commissioner.
That statement: -
- Has to set out the identity and details of the organisation;
- A description of what happened, or what is suspected to have occurred;
- The kinds of information the subject of the breach;
- Recommendations about what steps individuals should take if it is their data or personal information that has been breached.
- After that, the organisation must notify the contents of the statement to each of the individuals the subject of the breach, or publicise the statement as soon as the statement has been prepared.
As you can see, if a data breach occurs there will be serious and public consequences. The Commissioner can also direct of its own volition for an organisation to notify individuals, or the world at large, of a data breach occurring.
so, what now?
The Breach Act comes into effect on 22 February 2018. It will most likely apply to your business or organisation. Be aware of it, the Privacy Act, and your obligations to safeguard data and information.
Self-assessment of security and data held by your business is a good idea, as well as the implementation of plans and policies in the event such a breach occurs. External assessments of your privacy policies and readiness for the new legislation, such as those offered by McInnes Wilson Lawyers, are also valid protection avenues.
If your business fails to comply with the security of data and personal information, the Breach Act and its new powers will ensure a costly and public reprimand which may damage your business financially and tarnish its reputation. This new legislation cannot be ignored.
If you wish to discuss the Breach Act, or privacy concerns please contact Principal,Trenton Schreurs of McInnes Wilson Lawyers Electronic Law team.