On 12 March 2014, following the introduction of a suite of privacy reforms, the requirements of organisations and agencies with respect to their receipt of, management of and release of personal information under the Privacy Act 1988 (Cth) (Privacy Act) and the associated Australian Privacy Principles (APP) were extended and made far more proscriptive. These reforms included:
These requirements may now be extended further following the submission of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Bill) to the public for comment and in view of the likely successful passage of the Bill later this year. If the Bill becomes law via the amendment of the Privacy Act, agencies and organisations would be required to notify the OAIC and affected individuals following a serious data breach.
Could the proposed changes apply to me/my organisation or agency?
Your entity will be required to comply with the proposed changes if it is an agency or an organisation (being an individual, company, partnership, trust or any unincorporated association with an annual turn over of $3 million or more in revenue in a year).
What is a “serious” data breach?
A serious data breach would occur if personal information, credit reporting information, credit eligibility information or tax file information that an organisation or agency holds about one or more individuals is subject to unauthorised access or disclosure that puts any of the individuals to whom the information relates at real risk of serious harm or which would be likely to lead unauthorised access or disclosure that would put any of the individuals affected at real risk of serious harm. The key distinction here is that a breach may deemed to have arisen even if it would only be likely to lead to a real risk of serious harm (rather than to certainly lead to such a risk).
What would my organisation or agency need to do if there is a serious data breach?
If your organisation or agency were to have reasonable grounds on which to believe that a serious data breach has occurred or arisen, it would be required to notify the OAIC and the affected individuals of that breach by way of issuing a notification statement. By contrast, if your organisation or agency were to suspect that a serious data breach has arisen, it would have 30 days within which to assess whether notification is required.
If your organisation or agency were to determine that it is necessary for it to issue a notification statement, the statement would need to address or include:
Your organisation or agency would then be required to provide a copy of the statement to the OAIC and to take reasonable steps to notify all of the affected individuals (this would most likely be by contacting the affected individuals by using whatever channels they normally use to contact those individuals – whether by email, post or phone). If it is not possible to notify some of or all of the affected individuals, your organisation or agency would be required to publish the statement on its website and to take reasonable steps to publicise the statement.
How far would those notification requirements extend?
Your organisation or entity would not be required to comply with the mandatory notification procedure if:
What would happen if I/my organisation or agency fails to issue a notification as required?
Many organisations and agencies have already expressed concerns about the potentially onerous implications of complying with the proposed changes – including the significant costs associated notifying affected individuals and the difficulty of setting up policies and procedures which will enable them to identify serious data breaches and to act on them in a timely manner.
Organisations and agencies must note that if they were to fail to comply with the proposed changes, they would:
Lavan Legal Comment
With the successful passage of the Bill being highly likely, organisations and agencies need to start thinking now about whether they already have policies and procedures in place which would enable them to comply with these proposed changes. Although the prospect of enacting those policies and procedures may appear to be overwhelming and cost-intensive, by acting in advance agencies and organisations can ensure that they will be ready to comply with these changes as when they come in to force and in a cost-effective manner. If you have any questions about the Bill or whether your organisation or agency is acting and operating in a manner which complies with the proposed changes, please contact Mathea McCubbing or Iain Freeman.