- New privacy legislation due to commence in early 2018 will require the mandatory reporting of certain data breaches for organisations which are required to comply with the Privacy Act.
- Be aware that the new legislation could apply to your firm and to your clients.
- Consider a ‘privacy audit’ involving a review of employees’ access to information, the quality of your cyber security measures and the adequacy of training programs.
Solicitors have always been custodians of confidential information. Our obligations to maintain the confidentiality of information received during the solicitor/client relationship arise through the common law, contract and equity. More recently, privacy legislation has put additional obligations upon many organisations that hold sensitive personal information.
These obligations are not limited to clients and may extend to personal information held about any individuals.
While there has always been a need for solicitors to keep information confidential, there is now increased awareness of the need to prevent or respond to data breaches in a world where digital communications are the norm and where technology amplifies the risk of information being illegally accessed or unwittingly disclosed to a wider audience.
Law practices that fall within the ambit of the Privacy Act 1988 (Cth) (‘Privacy Act’) are required to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure (Australian Privacy Principle 11).
How do data breaches occur?
Data breaches can occur in many different ways. Examples provided by the Office of the Australian Information Commissioner (‘OAIC’) include lost or stolen laptops, removable storage devices, hard disk drives and other digital storage media being disposed of or returned without the contents being first erased, the hacking of databases containing personal information, paper records being stolen from insecure recycling bins – and the list goes on.
New privacy compliance obligations
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed through the senate on 13 February 2017. The scheme is expected to commence operation in early 2018.
The impact of these changes was discussed by Nick Abrahams and Jamie Griffin in their article ‘The End of a Long Road: Mandatory Data Breach Notification Becomes Law’ (32 LSJ, April 2017, 76). Of particular significance is the new legislative requirement that the Privacy Commissioner and any affected individuals be notified when an ‘eligible data breach’ has occurred.
An eligible data breach occurs where:
- there is unauthorised access to, or unauthorised disclosure of, personal information held by the agency or organisation, or personal information is lost in circumstances where access to, or unauthorised disclosure of, information is likely to occur; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates (s 26WE(2)).
The legislation grants the Privacy Commissioner the power to seek civil penalty orders of up to $360,000 for individuals and $1.8 million for corporations in cases where the failure to make an eligible data breach notification amounts to a serious or repeated interference with privacy.