If you are a business that has a turnover of more than $3 million, there are changes being proposed that may affect the way you deal with and handle breaches of privacy.
Currently, the Privacy Act 1988 (Cth) does not require mandatory reporting if there has been a privacy breach. The current legislation protects personal information from misuse, interference, loss, unauthorised access and disclosure, but there is no requirement to report a data breach if it occurs.
However, changes are being proposed in the Privacy Amendments (Notification of Serious Data Breaches) Bill 2015 (Cth) which will introduce an obligation for mandatory reporting.
This obligation will compel businesses to improve data safeguarding procedures and policies, thereby increasing data security, public accountability and transparency.
A serious data breach arises where there is a real risk of serious harm to the affected individuals, and mandatory reporting is triggered where there are reasonable grounds to believe that such a serious data breach has occurred.
Examples of breaches of privacy that may attract mandatory reporting include the following:
The breach must be reported to the Privacy Commissioner, as well as affected individuals.
If it is not practicable to notify the affected individuals, businesses should take reasonable steps to publicise a statement. This could include publishing a statement on the entity’s website or through social media.
Notification is required as soon as practicable after the entity becomes aware or ought reasonably to have become aware of this serious data breach.
In circumstances where an entity suspects that a data breach has occurred, but is not yet certain, the entity has up to 30 days to assess whether there are reasonable grounds to deem it a serious breach in order to warrant mandatory reporting.
In general, notification should include the following:
Businesses who fail to comply may risk enforcement action including potential civil penalties for serious or repeated breaches.
Under existing legislation, the Privacy Commissioner has enforcements powers. A failure to notify of a breach may attract civil penalties of up to $1.7 million for serious or repeated breaches.
However, these powers of the Commissioner are discretionary, and they are not automatically triggered.
Ordinarily, when such a Bill receives Royal Assent, it commences 12 months after the date of assent. Therefore, there will be a 12-month time frame for businesses to respond and alter their processes and procedures to accommodate for the changes proposed.
Similar drafts of this Bill had already been introduced previously in 2013 and 2014, and many European countries and US States have already adopted mandatory data breach and notification laws. Therefore, it looks like this is the direction the regulation of privacy laws is heading towards.
There will be ongoing cost implications for your business, and your business may need to review its existing practices, processes and procedures.
We will continue to keep you updated on the legal developments in this area. For now, we recommend that businesses start thinking about preparing for the introduction of the notification requirements by ensuring that they have appropriate operational procedures to identify, access and manage data breaches when they occur. Even if the changes are not implemented, this is a prudent way to ensure your business is compliant with existing privacy laws.
If you would like to talk to a lawyer about your operational procedures, or if you would like some general advice on how the existing privacy laws affects your business, please contact Peter North (Senior Associate, Corporate and Business Law Practice Group) on 03 9629 9629 .
Copyright © 2021 Lewis Holdway Lawyers. Website Design By LGT Digital