In February 2018, Australia introduced new data breach notification rules. The rules made it compulsory for businesses to inform the people whose data was breached and the Office of the Australian Information Commissioner (OAIC) of data breaches. For example, in situations where a business has its systems hacked or loses a device containing customer’s names and emails. Therefore, it is crucial to determine whether or not the new mandatory data breach notification rules affect you. Additionally, if a breach occurs, you need to know whether it falls within the category of an ‘eligible’ data breach.
This article sets out the recent changes to help you determine if your business is required to comply and what you should do in the event of a data breach.
Do the Rules Apply to my Business?
The new data breach notification rules apply to your business if you are already required to comply with the Australian Privacy Principles (APPs). While the new rules also apply government agencies, this article will focus on private sector businesses.
As a quick summary, businesses that must comply with the APPs include:
- businesses that earn a revenue greater than $3 million in any given year;
- health service providers;
- contractors providing services under a Commonwealth contract;
- credit reporting bodies;
- businesses that buy or sell personal information; and
- businesses that have opted-in to the APPs.
If your business falls into one of these categories, the APPs will apply to your business. As such, this will require you to comply with the new rules on data breaches.
Compliance with the Data Breach Notification Scheme
The new mandatory data breach notification rules do not require you to make immediate changes to your business. Rather, the rules outline how you need to handle a data breach if one occurs. We recommend you set up a data breach response plan, since dealing with a data breach correctly might become difficult if you have not taken this precaution.
If you think a data breach has occurred, you need to first figure out if the breach is an ‘eligible data breach’. If the answer is yes, then you must contact the OAIC as well as any individual potentially affected.
What is an Eligible Data Breach?
An eligible data breach is a two-step process where:
- there has been unauthorised access to or disclosure of personal information, or personal information is lost in circumstances where access to or disclosure of the information is likely to occur; and
- a reasonable person would believe that the disclosed data would likely result in serious harm to the people the information relates to.
For example, an eligible data breach might occur where:
- you lose a device containing your customers’ names, email addresses and other contact details;
- a database is hacked and it contained lots of customer information; or
- you accidentally provide one person’s details to an unintended recipient.
When is a Breach ‘Likely to Result in Serious Harm’?
If the breach is ‘likely to result in serious harm’, then it is an eligible data breach. Whether the breach is likely to result in serious harm depends on the circumstances, but contributing factors might include:
- whether the breached data relates to sensitive information about the individual;
- the types of people who could obtain the information because of the breach; or
- the level of protection given to information held about an individual and how easy it might be to overcome that protection.
Harm could be psychological, economic and financial harm, emotional or physical harm.
Notifying Affected Persons
If you believe that an eligible data breach has occurred, you must notify anyone impacted by the breach as well as people whose data you believe had the potential to be affected.
A notifying email should contain:
- your business’ contact details;
- a description of the data breach;
- an explanation of the information affected; and
- steps the affected individual should take to reduce their risk (for example, changing passwords, shutting down cards).
You should also provide a copy of this to the OAIC. If you don’t comply with the requirement to notify individuals of a data breach, then you run the risk of your business being fined.
Data Breach Response Plan
Creating a data breach response plan may make dealing with data breaches significantly easier. This is particularly true if you have a large number of customers on your database or you hold sensitive information about them.
During a data breach, you have to contact individuals promptly. You do not want to be confused about who is affected and the details of the specific information leaked. As such, a clear response plan and maintaining detailed records as to customer contact information will assist this process.
Also, take the opportunity to evaluate the security you use and make sure it is adequate for the type of information you hold about an individual. A good rule of thumb is that the more sensitive information you hold — the higher your level of security should be.
You will need to comply with the new data breach notification scheme if the APPs already apply to your business. If your business revenue is under $3 million per year, then you may be exempted unless you fit into one of the special organisation categories.
The next step is to evaluate your cyber security and refer to your data breach response plan. While this is not a requirement, it could drastically improve your ability to notify affected persons. If a data breach occurs, you need to assess whether the breach is an eligible data breach, and if it is, notify the OAIC and anyone affected. If you need help in complying with Australian privacy law, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.