The Privacy Amendment (Notifiable Data Breaches) Act (Amendment Act) was enacted in February 2017. The key provisions will likely take effect in February 2018, giving commonwealth government agencies and private sector organizations time to prepare.
Requirement to Notify if Breach Is Likely to Result in Serious Harm
The Amendment Act amends the Privacy Act of 1988 to introduce mandatory data breach notification requirements for commonwealth government agencies and private sector organizations.
The threshold for notification is higher than in most other jurisdictions: the test is whether the breach “is likely to result in serious harm” to an affected individual.
Currently, there is no requirement to inform the Office of the Australian Information Commissioner (OAIC) or affected individuals following a breach involving personal information, although the OAIC encourages notification if there is a “real risk of serious harm” to an individual.
What Is an “Eligible Data Breach”?
The Amendment Act states that, essentially, an “eligible data breach” happens if:
- there is unauthorized access to or unauthorized disclosure of personal
- it can be concluded that this breach would be likely to result in serious harm to any of the individuals the information relates to. Factors to consider include the types of personal information involved, whether the information is encrypted and the risk of encryption is being circumvented.
Serious harm could include physical, psychological, emotional, economic, or financial harm or harm to reputation.
What the Changes Mean for You
From February 23, 2018, and on, if your business or agency is subject to the Privacy Act and suffers an eligible data breach, you must report it to the OAIC and affected individuals as soon as practicable.
The notification must contain:
- the identity and contact details of your business or agency;
- a description of the breach;
- the type of information affected; and
- recommended steps individuals should take in response to the breach.
What if You Don't Report It?
If you don't notify the OAIC and/or affected individuals, you will have interfered with their privacy. (You may have interfered with their privacy anyway if you didn't take reasonable security measures to protect their personal information.) As a result, the OAIC may, for example, require you to apologize publicly and pay compensation to them. A hefty civil penalty could also apply for serious or repeated noncompliance with notification requirements.
Protecting Yourself from a Serious Data Breach
A factor to be considered when assessing whether an eligible data breach has occurred is whether the information was protected by security measures. Consider:
- installing and maintaining a firewall to protect data;
- using and regularly updating antivirus software;
- encrypting data transmissions (particularly personal information) across open, public networks and encrypting data “at rest” on your systems;
- restricting access to personal information on a business “need-to-know” basis;
- using best practice login ID and password requirements, including requiring complex passwords and regular password changes;
- restricting physical access to systems and hard copy personal information;
- tracking access to your computer systems;
- regularly testing your security systems and processes; and
- maintaining a policy that addresses information security for staff.
You Need a Data Breach Response Plan
In the data age, it's becoming inevitable that all organizations will experience a data breach. When that happens, you must be ready with a Data Breach Response Plan.
The aim of the plan is to be clear about who is responsible for managing your response to a breach and to provide them with clear, practical checklists. You don't want to spend the first hours after a serious breach occurs scrambling to contact senior executives and deciding ad hoc what to do. Your Data Breach Response Plan should include:
- a list of response team members and their contact details, including after hours;
- clear responsibilities for investigating the breach, putting immediate risk mitigations in place, and communicating with affected individuals, regulators, and the media;
- detailed checklists to work through for assessing the risks associated with the breach and for implementing changes to avoid future breaches; and
- template documents for notifying affected individuals and the OAIC and for publication on your website.
David Smith has advised extensively on data privacy in Australia. He has advised companies such as BP, Ford, Spotify, and News Corp. His work spans privacy compliance audits, risk management for offshoring of data, and managing data breaches. See http://www.gadens.com/whoweare/ourpeople/Pages/David-Smith.aspx for more details about David.