Amendments to the Privacy Act will ensure private sector organisations and Government agencies must notify the Federal Privacy Commissioner of serious data breaches. Why is this important? Technology disruption continues to develop at an unprecedented rate and is typically associated with a significant escalation in privacy and security incidents. Mandatory breach notification will play a major role in regulating Australia’s digital economy and align our regulatory framework with our international counterparts. Below we set out what your business needs to know about responding to a breach and the new reforms.
1. Do You Need to Comply?
All Australian entities bound by the Australian Privacy Act 1988 and the Australian Privacy Principles will need to abide by the proposed reforms. That is, does your business exceed an annual turnover of $3 million? If so, you will need to comply with the APPs.
Interestingly foreign companies who deal with Australian consumers and use or collect personal data will be bound. Similarly, Australian companies that send personal data offshore will also need to provide notice of a breach under Australian Privacy Principle 8.1.
2. What Will Cause a Notification Event?
The threshold test for a notification event under the Bill is when there are “reasonable grounds” to indicate or believe that a “serious data breach” has occurred. There will be further clarification as to what constitutes a serious breach.
At this point, there is the “real risk of serious harm” test, where harm can be in many forms including emotional, reputational, financial, physical and psychological. Whereby a data breach could be of health records, bank details or other sensitive personal data.
The prescribed time frame for entities to act on a serious data breach is 30 days from which they first became aware.
3. Who to Notify?
In the event of a serious breach, the Privacy Commissioner must be notified as well as the individual whose data has been breached. Reasonable steps must be taken to provide the information below to both parties.
4. Company Details
You must provide the Privacy Commissioner and the party whose data has been breached with the following information:
- A detailed description of the breach, and the grounds on which the company believed the breach occurred;
- The information involved in the breach; and
- The actions required in response to the breach.
If the company is unable to notify the individual then the company’s website must publish the breach.
5. What Happens if I Don’t Report?
Non-compliance with the proposed mandatory notification may result in up to $1.7 million fines in civil penalties. This is a discretionary penalty.
Furthermore, non-compliance may be taken as a breach of the duty of care and negligence, and companies may face litigation as a result including a class action.
ASIC and the OAIC also take an interest how organisations respond to data breaches and cyber security threats.
6. How to Prepare
The data breach notification requirements will strengthen Australia’s privacy laws to match that of other international jurisdictions such as the EU and US. Australian companies with offshore data processing will need to be particularly mindful. When preparing for a data breach, ensure that you have the appropriate structure in place should an event occur.
Importantly, appoint a designated response team within your business or organisation to handle data breaches. They will be tasked with notifying and taking the necessary steps to manage a breach. We set these out in our earlier article on Privacy Awareness Week. You and your response team should also know where sensitive data is stored as you may be liable to comply with international legislation. Finally, take proactive measures and have targeted internal policies to deal with your company’s data in each jurisdiction.
Airbnb and Uber
Platforms such as Airbnb and Uber have unprecedented access to personal customer information. Both social platforms rely on trust when collecting and dealing with data. It’s then important that each of these business’ have their own transparent and open privacy policies and are compliant with data breach notification laws. Compliance will facilitate trust and increase use by patrons, as both companies depend on their customers willingly sharing of personal information.
As technology continues to evolve at an unprecedented rate, it is important to report and tackle serious data breaches on a case by case basis. Your business should take steps to develop systematic responses and notifications to ensure compliance as the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 is rolled out. Questions? Get in touch with our IT lawyers on 1300 544 755.