Important Privacy Law Update
On Thursday 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 will come into force. The amendment marks a major change to the legal consequences for businesses that have their data security breached.
Below are six key questions about the new data breach notification regime, how it works, and how it might affect your business.
Could the new law affect my business?
The amendment applies to all entities that are currently subject to the Australian Privacy Principles (‘APP entities’). This includes:
- individuals, corporations, partnerships, unincorporated associations and trusts with an annual turnover of more than $3 million;
- organisations and individuals who provide health services (including fitness services);
- organisations whose who deal in data (including when you are selling a client list of a business that isn’t otherwise captured);
- any business that allows payment of its invoices on more than 7 day terms; and
- Federal Government Ministers, Departments and other Federal government bodies/agencies.
The changes will, however, only apply if you hold certain categories of information. These are:
- personal information (this means any information or opinions about an identified individual, or an individual who is reasonably identifiable, for example a person’s name, image, financial details etc.);
- credit reporting information;
- credit eligibility information; or
- tax file number information.
When is this notification regime triggered?
The new regime is triggered in two situations, both known as an ‘eligible data breach’. First, it will operate where there is unauthorised access to, or disclosure of, information and this is likely to result in serious harm for any individual to which the data relates. Second, it will operate where information is lost in circumstances where unauthorised access or disclosure is likely and, if that disclosure does occur, it is likely to result in serious harm for any individual to which the data relates.
What is ‘Serious Harm’?
The drafting of the amendment suggests that ‘serious harm’ is to be interpreted broadly and may include physical, emotional, economic and financial harm, as well as reputational damage to the individual. This unfortunately leaves a lot of ambiguity for businesses trying to determine whether a breach is likely to cause serious harm or not.
What do I have to do if there is a data breach?
If there is an eligible data breach, your business must prepare a statement. The statement must include information such as the entity’s contact details, a description of the data breach, the kinds of information concerned and recommended steps for individuals to take. This statement must be sent as soon as possible to both the Office of the Australian Information Commissioner and the affected individuals.
Do I always have to provide notifications?
Yes. If there are reasonable grounds to believe that an eligible data breach has occurred, your business must provide notifications. If your business considers that there is merely a suspicion of a breach, the new law requires you to conduct an assessment within 30 days of the suspected breach to determine whether notifications are necessary.
What if my business fails to comply?
There are certain exceptions which may exempt your business from mandatory notifications (e.g. if your business takes certain remedial actions). However, in most cases, a failure to comply may give rise to warnings and fines (up to a maximum of $1.8 million for corporations). Of course, your business may also suffer reputational and commercial damage.
Overall, the new privacy laws require businesses to be increasingly proactive in securing any data that they hold.
Please note that this email does not constitute legal advice and does not take into account your specific circumstances. For tailored advice on ensuring that your business is compliant with the Privacy Amendment (Notifiable Data Breaches) Act 2017, or for more information about privacy laws in general, please contact Paul Gordon by email (firstname.lastname@example.org) or mobile (0438 767 017).