It is a legal requirement on businesses, agencies and organisations to notify individuals when a breach of security has resulted in the disclosure of personal information. This data breach notification is required by the Privacy Act 1988 (Cth) – agencies and organisations are required to take reasonable steps to maintain the security of the personal information they collect. Any information that is misused, interfered with, or lost from unauthorised access, modification or disclosure must be disclosed. Notification of a data breach supports good privacy practice.

Data Breaches

Data breaches are not limited to malicious actions, such as theft or ‘hacking’, but may arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure. If a data breach takes place, notification can be an important mitigation strategy. It can also promote transparency and trust in the organisation or agency.

Examples of data breaches:

  • lost or stolen laptops and storage devices
  • hacking of databases
  • employees accessing unauthorised information
  • paper records stolen
  • an individual deceiving an agency or organisation into improperly releasing the personal information of another person

Reasonable Steps to Prevent Breaches of Data

Organisations are required to prepare and implement a data breach policy and response plan. This should include notifying affected individuals and the OAIC (Office of the Australian Information Commissioner) of any breach. If there is a real risk of serious harm as a result of any breach of data, the OAIC should be notified.

Responding to a Data Breach

There are four key steps to consider when responding to a breach or suspected breach:

  • Step 1: Contain the breach and do a preliminary assessment. This involves taking immediately steps to contain the breach and designate a person or team to coordinate response.
  • Step 2: Evaluate the risks associated with the breach. Consider what personal information is involved.
  • Step 3: Notification. This will involve a risk analysis.
  • Step 4: Prevent future breaches by fully investigating the cause of the breach.

In determining notification, agencies should notify the individuals affected by the breach. However, in some cases it may be appropriate to notify the individual’s guardian or authorised representative on their behalf. The OAIC strongly encourages agencies and organisations to report serious data breaches to the OAIC. The precise wording of the notification notice may have legal implications. Organisations should seek legal advice. The legal implications could include secrecy obligations that apply to agencies.

Preventing Future Data Breaches

In preventing future data breaches, organisations and agencies should implement a breach response plan or a breach response team to handle incidents from occurring again. Enhancing transparency through internal communication and training can also prevent future breaches.

Conclusion

If your business, organisation or agency has been involved in a data breach, our lawyers can assist you with your obligations in complying with the Privacy Act. Please call our office on 1300 544 755 and our Client Care team will happily provide you with an obligation-free consultation and a fixed-fee quote.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Lachlan McKnight

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy