The Privacy Amendment (Notifiable Data Breaches) Act 2017 (the Act) – an Act to amend the Privacy Act 1988 – comes into force on 22 February 2018.
We have provided a brief overview as to what this might mean for your business.
Why is the law changing?
There is currently no obligation to notify individuals who may be affected by a data breach. However, rapid and continuous developments in technology have created a rising threat to the safety and privacy of personal information. The Commonwealth Government has taken steps to ensure any party that collects personal information turns its mind as to what to do if a data breach arises.
What are the changes?
The Act requires entities to notify individuals whose personal information is breached and the Australian Information Commissioner when an ‘Eligible Data Breach’ (EDB) occurs.
Who do the changes apply to?
The Act applies to all entities which includes:
- an agency or organisation that already has obligations under the Privacy Act;
- agencies, businesses and not-for-profits that have annual turnover of more than $3 million;
- private sector health service providers;
- credit providers and credit reporting bodies;
- entities that trade in personal information; and
- tax file number recipients.
What is an Eligible Data Breach?
An Eligible Data Breach happens if:
- there is unauthorised access to, or unauthorised disclosure of information held by your business; or
- information is lost in circumstances where unauthorised access, or unauthorised disclosure of the information is likely to occur; and
- a reasonable person would conclude that the access or disclosure would likely result in serious harmto any of the individuals the information relates to.
What do you need to do?
If there is a suspected EDB, you should:
- carry out an assessment as to whether there are reasonable grounds to believe that the circumstances amount to an EDB; and
- complete this assessment within 30 days of becoming aware of the potential EDB.
- you have reasonable grounds in believing an EDB has occurred; or
- you are directed by the Commissioner to do so,
you must prepare an official notification for the Australian Information Commissioner and the affected parties whose personal information has been compromised of the EDB.
Notification to the Commissioner must be done on line at www.oaic.gov.au.
The new Act commences on 22 February 2018.
- If the Act applies to you, you must have a Notifiable Data Breach strategy and communication plan in place.
- Implement internal plans to ensure you know what to do when an EDB occurs.
- Adopt an approach in your business of ‘get to them before they get to you’. If an EDB occurs and an entity takes no action, be prepared to deal with the Commissioner and most importantly, with your customers or those whose information has been subjected to a breach.