In early 2017 we published an article outlining the elements of the new Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and how it will affect businesses. As the effective date of 22 February 2018 approaches quickly, here is a recap of the changes to the Privacy Act 1988 (Cth) (“Privacy Act”) and some tips for determining whether an eligible data breach has occurred.
If your business has an annual turnover of more than $3 million, or provides credit or receives tax file numbers, it is likely that it will have obligations under the Privacy Act. Small business operators (businesses with less than $3 million turnover) are generally exempt from the privacy obligations except if they hold health information in relation to the provision of a health service, if they are a credit reporting body or if they are a contracted service provider for a Commonwealth contract.
The new law will require entities governed by the Act to notify affected persons and the Privacy Commissioner if an “eligible data breach” occurs. This happens where there is either:
The Privacy Act provides guidance on determining whether a reasonable person would conclude that serious harm will likely result from the unauthorised access or disclosure of personal information. Amongst other things, you will need to assess:
For example, if the information disclosed is financial information, notification is more likely to be required due to the sensitivity of that information and the serious (financial) loss that could result. However, if the breach disclosed only the names of individuals, it might not result in serious harm.
An eligible data breach could occur if:
Circumstances in which personal information may be lost but where subsequent unauthorised access to disclosure is unlikely to occur could be where:
However, it is possible to avoid having a privacy breach be considered an eligible data breach. If your business acts quickly to mitigate an eligible data breach and the breach is not likely to result in serious harm, no notification needs to be made.
If you are aware of reasonable grounds to suspect that there is an eligible data breach in relation to your business, you will need carry out a reasonable and expeditious assessment of whether there are in fact reasonable grounds to believe that the relevant circumstances amount to an eligible data breach. You must take all reasonable steps to complete the assessment within 30 days of becoming aware of the possible breach.
If there has been an eligible data breach, you will need to prepare a statement that includes the identity of the entity that suffered the eligible data breach, a description of the eligible data breach, the kinds of information that have been accessed, disclosed or lost, and the recommended steps that affected individuals should take in response. You will need to provide this statement to the affected individuals and the Privacy Commissioner as soon as practicable following the preparation of the statement.
There are benefits of notifying the Privacy Commissioner, including the fact that such action is likely to be viewed favourably by the public and it can assist the Commissioner to respond to inquiries made by the public and manage any complaints that may be received as a result of the breach.
A breach of these mandatory breach notification provisions constitutes an interference with the privacy of an individual. Serious or repeated offences are punishable by a civil penalty of up to $1.7 million.
If you would like more information about privacy breaches or the Privacy Act more generally, please contact Peter North, Director, or Caroline James, Lawyer of the Business practice group on 03 9629 9629.
Copyright © 2021 Lewis Holdway Lawyers. Website Design By LGT Digital