- By Insights@Blackwall
- Posted April 20, 2018
Organisations hold increasingly large amounts of personal information, sometimes without being conscious of the sensitivity of that information. Cyber data breaches pose a real threat to the public and therefore, to your business.
The Office of the Australian Information Commissioner (the Regulator) received 114 voluntary data breach notifications in the 2017 financial year alone. Historically, there has been no mandatory legal requirement for an entity to inform an individual that a data breach involving their personal information has occurred, regardless of the risk of harm that may arise as a result.
The Privacy Amendment (Notifiable Data Breaches) Act (Cth) 2017 (Privacy Amendment Act) came into effect on the 22nd of February 2018. It amends the Privacy Act (Cth) 1988 (Privacy Act) to introduce a national Notifiable Data Breaches (NDB) scheme. The scheme requires entities regulated by the Privacy Act to disclose when they have suffered an ‘eligible data breach’. It provides more security for the public and places more responsibility on entities holding personal information. The Explanatory Memorandum to the Privacy Amendment (Notifiable Data Breaches) Bill 2016 states:
The absence of a requirement to notify individuals of data breaches involving personal information does not align with the almost universal agreement from the Australian public that
an organisation should inform them if their personal information is lost.
So what is an ‘eligible data breach’?
An eligible data breach occurs if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
The definition is broad and extends beyond malicious cyber attacks to also cover incidents of accidental disclosure of information or negligent or improper disclosures of information. The key is that the disclosure is likely to cause ‘serious harm’.
While ‘serious harm’ is not defined in the Privacy Act, it could include “serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.”
How does an entity notify?
Notices must be made to affected individuals and the Regulator as soon as an eligible data breach is known or suspected. It must include the entity’s identity and contact details, a description of the data breach, a description of the kinds of information concerned, and recommendations about the steps that individuals should take in response to the data breach, such as changing passwords and cancelling current credit cards.
What are the penalties for non-compliance?
Serious or repeated offences may attract a civil penalty of up to $360,000 for individuals and $1,800,000 for entities. On top of these monetary penalties, data breaches can cause long-term reputational damage and loss of client/customer trust.
An entity can and should take urgent remedial action where there is a suspected or eligible data breach. Depending on the circumstances of each case, this may include taking steps to minimise or eliminate the risk of serious harm from occurring or by preventing unauthorised access or disclosure to personal information. Where an entity is successful in taking remedial action, the breach may not be an eligible data breach.
How can we help?
Facing new legislative and compliance requirements is always a difficult task for entities and Blackwall Legal help with this transition by:
- efficiently assisting your business to assess what information it holds which might be covered by privacy requirements;
- formulating a data protection strategy to minimise risk associated with any potential breaches; and
- verifying if a possible breach has taken place and work with the Regulator on your behalf.
Meet the Authors