Eligible Data Breaches
The Act sets up a scheme for notification of ‘eligible data breaches’. An eligible data breach happens if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Examples of data breaches include malicious cyber security incidents, the accidental loss of information, and the negligent or improper disclosure of information.
New Reporting Obligations
Under the new scheme, an entity covered by the Privacy Act must take steps to notify the Information Commissioner and affected individuals if the entity:
- has reasonable grounds to believe that an eligible data breach has happened; or
- is directed to do so by the Commissioner.
Penalties
Failure by an entity to comply with the new data breaches obligations will be deemed an interference with the privacy of an individual, triggering the powers of the Commissioner to investigate and make determinations.
Penalties under the Privacy Act range from public and personal apologies, compensation payments or enforceable undertakings, through to civil penalties – the maximum civil penalty is $360,000 for individuals and $1.8 million for corporate entities.
When do the new provisions come into effect?
The scheme will come into effect on a date yet to be proclaimed or at the latest, 12 months following Royal Assent (which was 22 February 2017). Entities already covered by the Privacy Act should consider preparing for the new reporting scheme and reviewing their internal privacy procedures where appropriate.
Tips to minimise risk
- Take the time to understand your obligations under the Privacy Act and get advice where necessary.
- Review your internal procedures for collecting and storing information, and make sure that they are adequate.
- Have contingency plans and procedures set in place in the event of a data breach.
- Raise awareness and educate staff about your organisation’s internal procedures and how to respond to an actual or suspected data breach.
- Ensure that your IT and data storage systems are monitored and secure.
More information can be found at the website of the Office of the Australian Information Commissioner (click here). The text of the Act can be read here.