It is a legal requirement on businesses, agencies and organisations to notify individuals when a breach of security has resulted in the disclosure of personal information. This data breach notification is required by the Privacy Act 1988 (Cth) – agencies and organisations are required to take reasonable steps to maintain the security of the personal information they collect. Any information that is misused, interfered with, or lost from unauthorised access, modification or disclosure must be disclosed. Notification of a data breach supports good privacy practice.
Data breaches are not limited to malicious actions, such as theft or ‘hacking’, but may arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure. If a data breach takes place, notification can be an important mitigation strategy. It can also promote transparency and trust in the organisation or agency.
Examples of data breaches:
- lost or stolen laptops and storage devices
- hacking of databases
- employees accessing unauthorised information
- paper records stolen
- an individual deceiving an agency or organisation into improperly releasing the personal information of another person
Reasonable Steps to Prevent Breaches of Data
Organisations are required to prepare and implement a data breach policy and response plan. This should include notifying affected individuals and the OAIC (Office of the Australian Information Commissioner) of any breach. If there is a real risk of serious harm as a result of any breach of data, the OAIC should be notified.
Responding to a Data Breach
There are four key steps to consider when responding to a breach or suspected breach:
- Step 1: Contain the breach and do a preliminary assessment. This involves taking immediately steps to contain the breach and designate a person or team to coordinate response.
- Step 2: Evaluate the risks associated with the breach. Consider what personal information is involved.
- Step 3: Notification. This will involve a risk analysis.
- Step 4: Prevent future breaches by fully investigating the cause of the breach.
In determining notification, agencies should notify the individuals affected by the breach. However, in some cases it may be appropriate to notify the individual’s guardian or authorised representative on their behalf. The OAIC strongly encourages agencies and organisations to report serious data breaches to the OAIC. The precise wording of the notification notice may have legal implications. Organisations should seek legal advice. The legal implications could include secrecy obligations that apply to agencies.
Preventing Future Data Breaches
In preventing future data breaches, organisations and agencies should implement a breach response plan or a breach response team to handle incidents from occurring again. Enhancing transparency through internal communication and training can also prevent future breaches.
If your business, organisation or agency has been involved in a data breach, our lawyers can assist you with your obligations in complying with the Privacy Act. Please call our office on 1300 544 755 and our Client Care team will happily provide you with an obligation-free consultation and a fixed-fee quote.