The Privacy Act 1988 (Cth) (Act) has been amended by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (the Amending Act). The Amending Act introduces a mandatory data breach notification regime where an “eligible data breach” occurs. The amendments will commence on February 23, 2018, unless they are proclaimed to commence earlier.
Who is required to comply with the new laws?
The new reporting regime will apply to APP entities that hold personal information. In general, private health care organizations, including community health centers and other private health providers will be considered APP entities.
What is an eligible data breach?
An eligible data breach occurs where there is:
- unauthorized access to or unauthorized disclosure of information; or
- loss of the information where unauthorized access or disclosure is likely; and
a) a reasonable person would conclude that the access or disclosure would likely result in serious harm to any of the individuals to whom the information relates.
These individuals to whom the serious harm would likely result are defined as being “at risk.”
Serious harm is not defined in the act, but the explanatory memorandum to the amendments states that serious harm could include “serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation, and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.”
What are the notification requirements?
If an organization has reasonable grounds to believe that there has been an eligible data breach, then it must provide a statement to the Australian Information Commissioner (the Commissioner), which sets out a range of mandated matters.
As soon as practicable after preparing the statement for the Commissioner, the organization must also take reasonable steps to notify the statement information to either:
- each individual to whom the information relates; or
- if not, all these individuals are deemed to be at risk, only those affected individuals who are deemed to be at risk.
Are there any exceptions to the data breach notification requirements?
There are certain exceptions to the notification regime, including where an organization takes remedial action to address any unauthorized access to or disclosure of information or loss of information, and:
- in relation to unauthorized access or disclosure, the remedial action occurs before there is any serious harm to any affected individuals to whom the information relates, and a reasonable person would conclude the access or disclosure would not likely result in serious harm to any of those individuals; or in relation to loss of information, the remedial action occurs:
a) before there is any unauthorized access to or disclosure of the information, and as a result of the action there is no unauthorized access or disclosure; or
b) after there is any unauthorized access to or disclosure of the information, but before the access or disclosure results in serious harm to any individuals to whom the information relates and a reasonable person would conclude the access or disclosure would not likely result in serious harm to any of those individuals.
What happens if an organization does not comply with the requirements?
Breach of the data breach notification requirements are taken to be acts that are “an interference with the privacy of an individual.” Section 13G of the act provides that a civil penalty applies to serious or repeated interferences with the privacy of an individual. An individual penalty of $360,000 and a maximum corporate penalty of $1,800,000 currently apply for breach of this provision.
Organizations should review their policies and procedures regarding data breaches and prepare data breach response plans in line with the requirements of the Amending Act (if these are not in place already). The data breach response plans should contemplate potential remedial action to prevent any serious harm from occurring to any affected individuals.
Organizations that hold or share data in collaboration with other entities or service providers may wish to establish processes to enable a coordinated response to any data breach.
Giovanni Marino is a senior solicitor with Health Legal, who prior to joining Health Legal, was a physiotherapist. This health background brings practical experience to Giovanni’s work as a lawyer. Giovanni provides a broad range of legal assistance to health care providers across Australia, including advice on their legal obligations (in areas such as medico-legal, privacy, and employment) and assistance with contract drafting and negotiations. More can be found at www.healthlegal.com.au.