The new mandatory data breach notification laws will require organisations to report any ‘eligible data breaches’ to the Australian Privacy and Information Commissioner (the Commissioner) and notify affected customers as soon as possible.
Passed on 13 February 2016 by Federal Parliament, this scheme will bring Australia in line with other overseas jurisdictions such as the United States and the European Union and improve transparency for consumers.
What are the New Data Breach Notification Laws?
An eligible data breach occurs if:
- There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity; and
- The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Your business will have to give notification if:
- It has reasonable grounds to believe that an eligible data breach has happened; or
- Is directed to do so by the Commissioner.
These mandatory breach notification requirements apply to organisations that have obligations under the Privacy Act 1988, including:
- Australian Government agencies;
- Businesses and not-for-profit organisations with an annual turnover of more than $3 million;
- Certain businesses with an annual turnover of $3 million or less that:
- Provide health services that hold individual health information;
- Sell or purchase personal information, including credit reporting bodies; or
- Contracted service providers for a Commonwealth contract (for example, child care centres, private schools and private tertiary educational institutions).
Notification must be provided to affected customers as soon as possible and no later than 30 days after the entity becomes aware of the breach, or when the entity ought reasonably have become aware of the breach. Penalties for non-compliance can attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.
What Does This Mean for Your Business?
If your business is subject to the Privacy Act, you will need to comply with the new mandatory data breach notification laws. More importantly, to avoid any potential embarrassing publicity, you should do the following:
1. Ensure your business adheres to Australian Privacy Principles (APP)
Take reasonable steps to implement practices, procedures and systems that ensure your business complies with the Australian Privacy Principles and any binding registered APP code. It is also vital that your systems are able to deal with related inquiries and complaints.
For example, make it clear to consumers on how your organisation can be contacted with any complaints, and ensure that you have sufficient control over your data management system to enable you to take immediate action to address complaints (especially where you are relying on third party IT providers to manage that system).
3. Only use data for purposes it was collected for
Use or disclose any personal information for the primary purpose for which it was collected, or for a secondary purpose in specified circumstances.
This is a timely opportunity to review your privacy and data security policies to evaluate whether they comply with the new mandatory data breach notification laws.
Need advice on reviewing and updating your privacy policies, data breach response plans and Terms & Conditions of Use for confidential data? Get in touch with us:
+61 3 9620 9660
BSc LLB GradDipTax
+61 3 9620 9660