Early this week the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth). The key amendment is the introduction of a mandatory data breach notification scheme, which will make it a legal requirement for entities regulated under the Privacy Act 1988 (Cth) to provide notice to regulators and customers affected by a data breach.
What is a notifiable breach?
Not every data breach will require notice. A breach will need to be reported by an organisation if it qualifies as an eligible data breach. An eligible data breach will occur when the following conditions are satisfied:
- That there is unauthorised access to or disclosure of information, or in circumstances that information is lost (and these actions are likely to occur); and
- A reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom that information relates.
Only data breaches likely to result in serious harm are required to be reported. Serious harm is not defined, however there is a list of relevant matters that organisations will need to consider when determining whether access or disclosure would be likely or not likely to result in serious harm. These include the sensitivity of the information, how the information is protected and the type of person that has obtained the information.
How will these changes affect businesses?
All entities regulated by the Privacy Act 1988 (Cth) will be legally required to notify the Australian Information Commissioner and those affected by a data breach. Entities subject to this new scheme include Australian Government agencies, not-for-profit organisations and businesses with an annual turnover of over $3 million. The Act also applies to some small businesses with an annual turnover of less than $3 million, such as:
- Private Sector Health Service Providers (including gyms, weight loss clinics and alternative medicine practices);
- Business that sell or purchase personal information;
- Credit Reporting Bodies; and
- Businesses that have chosen to opt-in to the Privacy Act
If your business is regulated by the Act and an eligible data breach has occurred the Australian Information Commissioner and those affected must be notified.
What happens if a business does not comply?
If an organisation fails to report on an eligible data breach it would be ‘deemed to be an interference with the privacy of an individual’. Serious or repeated interferences may result in a civil penalty of up to $360,000 for individuals and in the case of corporations up to $1,800,000.
Let us know your thoughts on the latest privacy data scare by tagging us #lawpath or @lawpath.