The Federal government has recently passed new legislation which amends the Privacy Act 1988 (Cth) (“Privacy Act”), by making it mandatory for entities to self-report a privacy breach.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 amends the Privacy Act to oblige certain entities to notify affected persons and the Privacy Commissioner if an eligible data breach in the Privacy Act) occurs.
Broadly, certain entities, credit reporting bodies, credit providers and file number recipients all have obligations under the Privacy Act.
Small business operators (businesses with less than $3 million turnover) are generally exempt from the privacy obligations, although there are some instances where they may need to comply with the Privacy Act – including if they hold health information in relation to the provision of a health service, they are a credit reporting body or they are a contracted service provider for a Commonwealth contract.
If you’re not sure whether your organisation is required to comply with the Privacy Act, we recommend seeking our advice in order to avoid the consequences of failing to comply with any applicable obligations.
Not every privacy breach constitutes an eligible data breach. An eligible data breach arises where there is either:
The Privacy Act gives guidance on determining whether a reasonable person would conclude that serious harm will likely result from the unauthorised access or disclosure of personal information. Amongst other things, you will need to assess:
It is possible to avoid having a privacy breach be considered an eligible data breach, however your actions will need to remove the likelihood of serious harm resulting from the unauthorised access, disclosure or loss of information.
If you are aware of reasonable grounds to suspect that there is an eligible data breach, you will need carry out a reasonable and expeditious assessment of whether there are in fact reasonable grounds to believe that the relevant circumstances amount to an eligible data breach. You must take all reasonable steps to complete the assessment within 30 days of becoming aware of the possible breach.
If there has been an eligible data breach, you will need to prepare a statement that includes the identity of the entity (or entities) that suffered the eligible data breach, a description of the eligible data breach, the kinds of information that have been accessed, disclosed or lost, and the recommended steps that affected individuals should take in response. You will need to provide this statement to the affected individuals and the Privacy Commissioner as soon as practicable following the preparation of the statement. You must provide the notice in the manner outlined in the Privacy Act.
A breach of these mandatory breach notification provisions constitutes an interference with the privacy of an individual. Serious or repeated offences are punishable by a civil penalty of up to $1.7 million.
If you need assistance, please contact Peter North, Senior Associate or Caroline James, Lawyer from the Business Team on 03 9629 9629.
Copyright © 2021 Lewis Holdway Lawyers. Website Design By LGT Digital