Just when you thought discovering a data breach within your organisation was already a headache – such as a lost company computer or an employee disclosing unauthorised information – from 22 February 2018 this could become a migraine as you are now obliged to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals. Failure to do this can result in civil penalties.
Want to know more about the structure of this new legislation? Please read on.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 amends the Privacy Act 1988, to include a new mandatory data breach notification scheme in Part IIIC of the Act. These new laws take effect from 22 February 2018.
New obligations
The mandatory Notifiable Data Breaches (NDB) scheme requires organisations and federal agencies subject to the Privacy Act, to report an “eligible data breach” to the OAIC and individuals potentially affected.
The notification involves at least two-steps. First, you must give a statement with prescribed information to the OAIC. Second you must notify the affected individuals. Whilst the actual steps will differ depending on the circumstances, this will usually entail a statement to the individual via normal means of communication.
You must, within 30 days, carry out a prompt and reasonable assessment if you have reasonable grounds to suspect an eligible data breach.
What is an eligible data breach?
An eligible data breach will occur where there has been unauthorised access to or disclosure of personal information, or where a loss of information has occurred where unauthorised access or disclosure is likely. An objective test is applied to determine if a reasonable person would conclude that there is a probable risk of serious harm to any of the individuals affected by the unauthorised access to, or disclosure of personal information.
What is serious harm?
The definition of serious harm is broadly construed, but will include any serious physical, psychological, emotional, economic or financial harm as well as reputational damage. Serious harm will be considered likely if the harm is determined to be “more probable than not”.
Whilst harm is not defined, the new legislation does provide a non-exhaustive list of factors that should be considered when determining if the breach is likely to result in serious harm. These include but are not limited to:
- The type and sensitivity of the information;
- Any security measures that have been taken, and the likelihood that such measures could be overcome;
- The people who have access to or could obtain the information, and;
- The nature of the harm.
The first Quarterly Report released
The OAIC have published the first quarterly report of data breach notifications for 2018, receiving 63 data breach notifications in the first six weeks of the NBD programme while only receiving 114 voluntary notifications in the 2016-17 financial year. This increase in reporting will help OAIC better identify areas of improvement in information security. To read more interesting statistics from the first quarterly report or to access the full report, click here.
What should you do?
You should continue to comply with your data security obligations under the Australian Privacy Principles and also follow the recommended steps in the OAIC’s guide to handling personal information security breaches.
You should also review your current security processes and procedures to incorporate your scheme assessment and notification obligations and consider any other systems or processes that may need to be developed to comply with the scheme.
A data response plan should also be developed, including responses to cyber and broader data security breaches. This plan should enable you to respond efficiently and lawfully to an actual or suspected data breach. This plan should be communicated to all staff with training on what to do if they suspect or become aware of a data breach.
For more information on mandatory data breach notification laws contact Peter McNamara today.