Australia Mandatory Data Breach Notification Is In

Here’s All You Need To Know

There are approximately 10 months to go until your organisation will have to fess up if it experiences a serious data breach. Whilst that may sound like a long time away, the requirement to notify is only the tip of the iceberg.  It’s a reminder to all organisations covered by the Privacy Act to have adequate measures in place to protect information security and to have a privacy governance framework in place.

As a privacy leader in your organisation, you should now be looking at your processes and procedures for managing data breaches and assessing your organisation’s capability to respond to them.  You should be:

• Briefing all relevant stakeholders on the roles that they will play
• Training staff on the steps expected by the regulator when responding to privacy breaches
• Implementing internal processes to streamline these requirements in a way that is meaningful and practicable for your organisation. 

About the new law

The OAIC has stated that organisations “will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.” You do not want to find yourself researching your obligations for the first time when faced with a cyber incident.  Readiness is key.

Australia’s mandatory data breach notification law will come into force on 22 February 2018, requiring all entities bound by the Privacy Act 1988 to notify the regulator and consumers of all data breaches that meet the threshold.

The Act implements recommendations of the Parliamentary Joint Committee on Intelligence and Security’s Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 and the Australian Law Reform Commission’s report For Your Information: Australian Privacy Law and Practice by amending the Privacy Act to require agencies, organisations and certain other entities to provide notice to the Australian Information Commissioner and affected individuals of an eligible data breach.

With this law, Australia joins 47 states of the USA, the European Union, New Zealand (which has announced plans to introduce a two-tier mandatory data breach notification scheme) and Canada in passing legislation to introduce a national mandatory data breach notification scheme.

Key aspects of the law:

• Threshold:  A notifiable data breach will occur where there is unauthorised access to, or unauthorised disclosure of, the information and “a reasonable person” would believe that such data breach is “likely to be result in serious harm” to any of the relevant individuals.  A breach will also be notifiable if the information is lost in circumstances where it is likely to lead to unauthorized access or disclosure with serious harm to the relevant individuals a likely result.
• Timing: APP entities will be required to notify an eligible data breach as soon as practicable after becoming aware of it or that there are reasonable grounds to believe that there has been an eligible data breach. If they suspect a breach has occurred, APP entities must take reasonable steps to complete, within 30 days, a “reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach”.
• Who must be notified? APP entities will be required to notify the Australian Information Commissioner and each of the relevant individuals affected by the breach. Where it is not practicable to communicate with each of the affected individuals, the entity must publish a statement on its website or take reasonable steps to publicise it.
• Penalties for non-compliance:  Failure to comply with the key provisions of the law is an interference of privacy under the Privacy Act. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of 2,000 penalty units for individuals ($360,000) and 10,000 penalty units for bodies corporate ($1.8million).
• Remedial action to overcome reporting obligation: Notification is not required if the entity takes action in relation to the loss of information or the unauthorized access or disclosure before serious harm to affected individuals has resulted and a reasonable person would conclude that serious harm to those individuals is no longer likely to occur.
• Importance of securing information: Effective security measures can mitigate the obligation to notify when information is lost.  The law sets out a list of relevant factors in determining whether access or disclosure is likely to result in serious harm, including what security technology has been used to protect the information and the likelihood that the persons who have obtained it or could obtain it are likely to intend to cause harm and have the means to circumvent these measures.

The Office of the Australian Privacy Commissioner (OAIC) has indicated that it will be issuing guidance about the new law over the coming months.  Follow the OAIC’s notifiable data breach guidance webpage to ensure that you see this guidance as it is issued.  In the meantime, the OAIC has advised organisations to review their practices, procedures and systems for securing personal information and to prepare or update their data breach response plan.