An entity that is required to comply with the Privacy Act 1988 must take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This extends to situations where an entity engages a third party to store, maintain or process personal information on its behalf.
In February of this year the Commonwealth government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which will amend the Privacy Act, making it mandatory for companies and organisations to report “eligible data breaches” to the Office of the Australian Information Commissioner (OAIC) and any affected, at-risk individuals.
Does the Privacy Act apply to my organisation?
Australian Government agencies and all businesses and not-for-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions.
Some small business operators (organisations with a turnover of $3 million or less) are covered by the Privacy Act including:
What are reasonable steps?
The reasonable steps entities should take to ensure the security of personal information will depend on the circumstances, including the following:
Reasonable steps would include:
What is mandatory data breach notification?
Mandatory data breach notification is a legal requirement designed to protect the individuals affected by a data breach so that they may take the necessary steps and measures to protect themselves from any harm or damage. Notifying affected individuals is good privacy practice, as it gives each person the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation’s reputation by displaying transparency and openness.
The mandatory data breach notification scheme being introduced will require entities to promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an "eligible data breach".
When has an eligible data breach occurred?
An eligible data breach occurs when:
Examples of a data breach would include and not be limited to:
What constitutes serious harm?
Serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.
In making an assessment of the level of harm, an organisation needs to consider the nature and sensitivity of the personal information, whether the information is protected by some type of security measures (e.g. encryption), who has obtained or accessed, or could obtain or access, the information, and the nature of the harm to affected individuals.
What does notification entail?
In the event of an eligible data breach, an entity is required to notify the Commissioner and affected individuals as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies). The notification statement must include:
Notification must occur as soon as practicable after the preparation of the statement and may be made using the method normally used by the entity in communicating with the individuals. Depending on the situation, other methods of notification are permissible, for example, if an entity is unable to notify each affected individual, notification via the entity's website if one exists, would be satisfactory.
What if I'm not sure if an eligible breach has occurred?
If an entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity then the entity must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity and take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware.
In essence, if you believe a data breach has occurred then you must undertake an investigation to determine if the breach must be reported or not. Your investigation must be completed within 30 days after you become aware.
Are there any exceptions to the requirement to notify?
Yes. Following a data breach, where an entity has taken remedial actions and steps to address any potential harm to individuals that may arise due to the data breach, before any serious harm is caused to individuals to whom the information relates, the mandatory notification obligations will not apply. The key test is whether or not a reasonable person would conclude, as a result of the actions taken, that the access or disclosure or loss of information would not be likely to result in serious harm to any of the individuals to whom the personal information relates.
This exemption demonstrates the value of early detection of data breaches and well thought out actions. The ability of an organisation to detect a data breach and take action in respect of reducing any potential damage to individuals whose personal information has been disclosed or lost, will play an important part in mitigating the potential damage that such an incident can cause.
Other exemptions are also listed in the Act.
Are there any penalties if I don't comply?
Yes. Failure to comply with the new regulations will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act. This will engage the Commissioner’s existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. This includes the capacity to undertake Commissioner initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interference with privacy. Serious or repeated interference with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.
What should I do?
Organisations and businesses subject to the Privacy Act should now take steps to ensure that their processes and procedures will enable them to meet the new obligations when they come into effect in February 2018.
We recommend you ensure that your data breach incident response process is updated to include steps to:
Your plan should be updated and then tested to make sure that it is effective, works as intended and everybody that is part of the plan is aware of their roles and responsibilities.
The introduction of the new legislation is a good opportunity to assess and measure your compliance with the Privacy Act provisions.
Article by Wayne Tufek, director of CyberRisk.