If you are a business that has a turnover of more than $3 million, there are changes being proposed that may affect the way you deal with and handle breaches of privacy.
Currently, the Privacy Act 1988 (Cth) does not require mandatory reporting if there has been a privacy breach. The current legislation protects personal information from misuse, interference, loss, unauthorised access and disclosure, but there is no requirement to report a data breach if it occurs.
However, changes are being proposed in the Privacy Amendments (Notification of Serious Data Breaches) Bill 2015 (Cth) which will introduce an obligation for mandatory reporting.
This obligation will compel businesses to improve data safeguarding procedures and policies, thereby increasing data security, public accountability and transparency.
Trigger: real risk of serious harm
A serious data breach arises where there is a real risk of serious harm to the affected individuals, and mandatory reporting is triggered where there are reasonable grounds to believe that such a serious data breach has occurred.
Examples of breaches of privacy that may attract mandatory reporting include the following:
- The release of personal details either maliciously through theft or hacking, and/or by accident through internal errors or failure to follow information handling policies;
- Release of tax file numbers;
- Release of credit rating information.
Who must this breach be reported to?
The breach must be reported to the Privacy Commissioner, as well as affected individuals.
If it is not practicable to notify the affected individuals, businesses should take reasonable steps to publicise a statement. This could include publishing a statement on the entity’s website or through social media.
When does the breach need to be reported?
Notification is required as soon as practicable after the entity becomes aware or ought reasonably to have become aware of this serious data breach.
In circumstances where an entity suspects that a data breach has occurred, but is not yet certain, the entity has up to 30 days to assess whether there are reasonable grounds to deem it a serious breach in order to warrant mandatory reporting.
What should be included when notifying affected persons?
In general, notification should include the following:
- Incident description;
- A description of the breach and the “reasonable grounds” upon which the entity believes the breach occurred;
- Type of personal information involved;
- Response to breach;
- Assistance offered to affected individuals;
- How individuals can lodge a complaint with the Office of Australian Information Commissioner;
- Contact information of the personnel within the agency/organisation that can answer questions, provide further information or address specific privacy concerns.
What are the penalties for non-compliance?
Businesses who fail to comply may risk enforcement action including potential civil penalties for serious or repeated breaches.
Under existing legislation, the Privacy Commissioner has enforcements powers. A failure to notify of a breach may attract civil penalties of up to $1.7 million for serious or repeated breaches.
However, these powers of the Commissioner are discretionary, and they are not automatically triggered.
What are the implications for the introduction of the proposed Bill?
Ordinarily, when such a Bill receives Royal Assent, it commences 12 months after the date of assent. Therefore, there will be a 12-month time frame for businesses to respond and alter their processes and procedures to accommodate for the changes proposed.
Similar drafts of this Bill had already been introduced previously in 2013 and 2014, and many European countries and US States have already adopted mandatory data breach and notification laws. Therefore, it looks like this is the direction the regulation of privacy laws is heading towards.
There will be ongoing cost implications for your business, and your business may need to review its existing practices, processes and procedures.
We will continue to keep you updated on the legal developments in this area. For now, we recommend that businesses start thinking about preparing for the introduction of the notification requirements by ensuring that they have appropriate operational procedures to identify, access and manage data breaches when they occur. Even if the changes are not implemented, this is a prudent way to ensure your business is compliant with existing privacy laws.
If you would like to talk to a lawyer about your operational procedures, or if you would like some general advice on how the existing privacy laws affects your business, please contact Peter North (Senior Associate, Corporate and Business Law Practice Group) on 03 9629 9629 .