The Privacy Amendment (Notifiable Data Breaches) Act 2017 was assented to on 22 February 2017 with amendments to the Privacy Act commencing on 22 February 2018.
The passage of the amending Act established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all relevant agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018. That is an entity that has a turnover (gross) of over three million dollars unless volunteered for the Act to apply or is an entity that holds private health information – such as those in the medical and NDIS sector.
The NDB scheme will also apply to certain credit providers, credit reporting bodies, and holders of tax file number information, such as accountants and financial advisors.
The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach.
Agencies and organisations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result, require notification.
(Serious harm may be constituted by serious physical, physiological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person and the entity’s position would identify as a possible outcome of the data breach.)
In particular, Australian Privacy Principle 11 requires organisations to take reasonable steps to protect the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. “Reasonable steps” include notification of certain data breaches, and having and implementing a data breach response plan.
The first 24 hours after discovery of a data breach are critical to restoring security, minimising harm, obtaining and preserving evidence and complying with contractual and legal obligations. Therefore a relevant entity should establish a Data Breach Response Plan.
A Data Breach Response Plan should provide your organisation with prioritised key steps to take, (i.e. what to do), in response to a cyber incident/data breach and key warnings as to what not to do, as well as identify the type of attacks that could occur, the location of sensitive data stored electronically, and identify the level of protection that assets require from various threats.
Breaches are not limited to malicious actions like theft or “hacking”. They include human error and mishandling of personal information resulting in accidental loss or disclosure. Lost or stolen electronic devices. Employees accessing or disclosing personal information outside the authorisation of their employment, and an organisation mistakenly providing personal information to the wrong person or sending it to the wrong email address. These are just some of the examples of human error that could apply.
For more information or assistance about the amendments to the Privacy Act, or preparing a Data Breach Response Plan, contact one of our employment lawyers.
