Under the new legislation, an individual is entitled to receive notice when an unauthorised person gains access to the individual’s data. The new measures are far reaching, capturing unauthorised access caused by the most innocent of mistakes. These mistakes may include people accessing unsecure recycling or rubbish bins; emails being sent to incorrect recipients; employees failing to delete work-related material when using a borrowed device; and laptops or documents being left behind in public places.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Data Breach Legislation) amends the Privacy Act 1988 (Cth) (Privacy Act), by imposing mandatory reporting obligations on entities that collect and hold personal information. These obligations are triggered if the entity suffers a data breach and, as a result, there is any unauthorised use, disclosure or loss of personal information held by the entity.
The new provisions are expected to commence operating on 22 February 2018, requiring entities holding personal information to tighten their security procedures. Before that date, entities should:
- review the adequacy of their current policies and procedures for collecting, storing and using personal information;
- adopt an action plan for dealing with data privacy breaches;
- review existing contractual arrangements to ensure they facilitate compliance with the Data Breach Legislation; and
- consider adopting additional security measures (for example: staff training, password protected databases, installing firewalls and appointing a responsible staff member to handle data breaches).
Who does the Data Breach Legislation apply to?
The Data Breach Legislation applies to entities that already have obligations under the Privacy Act to secure personal information. These include: Australian Government agencies; businesses and not-for-profit organisations with an annual turnover of more than $3 million; private sector health service providers; credit reporting bodies and credit providers; certain small business operators; entities trading in personal information; and tax file number recipients.
The legislation also applies to entities with an ‘Australian link’, such as a person with Australian citizenship or permanent residency, organisations formed or incorporated in Australia, unincorporated associations with central management in Australia and organisations carrying on business (and collecting or holding personal information) in Australia.
Subject to limited exemptions, Australian-based entities remain liable under the Data Breach Legislation even where information has been passed to an overseas recipient (being a recipient who is not in Australia or an external Territory).
When must action be taken in response to a data breach?
- personal information held by the entity is accessed or disclosed without authorisation, or lost in circumstances where unauthorised access or disclosure is likely to occur, and
- that access or disclosure is likely to cause “serious harm” to individuals about whom the information relates.
Advance planning is the key in responding effectively to a data breach. The quality of the public notification will be the primary factor in restoring consumer confidence.
What action should be taken in response to an eligible data breach?
- Conduct an investigation within 30 days to determine whether there are reasonable grounds for this belief;
- Notify the Commissioner as soon as practicable if the investigation reveals reasonable grounds for believing an eligible data breach has occurred (or if otherwise required by the Commissioner). (The notification to the Commissioner must include a statement outlining the breach [including the affected information and the entities responsible] and contain a recommended course of action for affected individuals.); and
- Notify affected individuals about the breach as soon as practicable, either by taking reasonable steps to notify them about the contents of the statement (if feasible), or by publicising the statement on the entity’s website.
When is an entity exempt from compliance?
An entity does not need to take the remedial steps referred to above in limited circumstances, such as:
- where multiple entities are responsible for the breach, and one of the other entities has already complied with the requirements;
- where compliance would breach other secrecy legislation; or
- where the Commissioner grants an exemption from, or an extension of time for, compliance.
What penalties can be imposed for failure to comply with the legislation?
Failure to take the remedial steps constitutes an act of “interference with the privacy of an individual” under the Privacy Act, and may prompt an investigation and determination being made by the Commissioner. If sufficiently serious or repeated, the conduct may attract a civil penalty of $420,000 for an individual or $2,100,000 for a body corporate.