- The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) imposes obligations on certain businesses to investigate and notify the OAIC and affected individual(s) of eligible data breaches.
- While legal practices with a turnover exceeding $3 million (or which meet other criteria) need to comply with the legislation, there are good reasons for others to assume voluntary notification.
- A data breach response plan is essential to being prepared for an eligible data breach.
- The OAIC has excellent online guides for securely handling personal information and responding to breaches
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (‘the Act’), which takes effect on 22 February 2018, imposes mandatory investigation and notification obligations on organisations currently subject to the Privacy Act 1988 (Cth) and businesses with an annual turnover exceeding $3 million (with some exceptions) in respect of ‘eligible data breaches’.
This article overviews the key features of the amendments in order to explain why legal practices not subject to mandatory notification should nevertheless consider voluntary notification.
Notification of eligible data breaches
The notification regime established by the amendments requires any organisation that is subject to the Privacy Act 1988 to notify the Office of the Australian Information Commissioner (‘OAIC’) and affected individuals about ‘eligible data breaches’. An ‘eligible data breach’ occurs where:
- there is unauthorised disclosure of, or access to, personal information and a ‘reasonable person’ would conclude that there is a ‘likely risk’ of ‘serious harm’ to any affected individuals arising from the disclosure or access; or
- personal information is lost in circumstances likely to give rise to unauthorised disclosure of, or access to, that information and a ‘reasonable person’ would conclude there is a ‘likely risk’ of ‘serious harm’ to any affected individuals (s 26WE(2)).
‘Reasonable grounds’ to believe an eligible data breach has occurred is the only requirement. A reasonable and expeditious assessment must be undertaken within 30 days of the organisation first becoming aware of the suspected data breach.
Where the initial assessment indicates reasonable grounds to suspect an ‘eligible data breach’ has actually occurred, the organisation must provide a statement to the Commissioner and distribute the contents of that statement to individuals at risk of serious harm. There are three options for notifying individuals at risk of serious harm, depending on what is ‘practicable’ for the entity (s 26WK(2)). The AOIC exposure draft details the options and provides content to be reported for each option.