In early 2017 we published an article outlining the elements of the new Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and how it will affect businesses. As the effective date of 22 February 2018 approaches quickly, here is a recap of the changes to the Privacy Act 1988 (Cth) (“Privacy Act”) and some tips for determining whether an eligible data breach has occurred.
Who does the Privacy Act apply to?
If your business has an annual turnover of more than $3 million, or provides credit or receives tax file numbers, it is likely that it will have obligations under the Privacy Act. Small business operators (businesses with less than $3 million turnover) are generally exempt from the privacy obligations except if they hold health information in relation to the provision of a health service, if they are a credit reporting body or if they are a contracted service provider for a Commonwealth contract.
The changes to the law
The new law will require entities governed by the Act to notify affected persons and the Privacy Commissioner if an “eligible data breach” occurs. This happens where there is either:
- unauthorised access to, or unauthorised disclosure of, personal information, and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to which it relates; or
- loss of personal information, making unauthorised access to or unauthorised disclosure of the information likely to occur and, if it were to occur, it would be likely to result in serious harm.
The Privacy Act provides guidance on determining whether a reasonable person would conclude that serious harm will likely result from the unauthorised access or disclosure of personal information. Amongst other things, you will need to assess:
- the sensitivity of the information
- whether the information is encrypted and the likelihood of the encryption being overcome
- the persons to whom the information has been disclosed or the persons who have accessed the information.
For example, if the information disclosed is financial information, notification is more likely to be required due to the sensitivity of that information and the serious (financial) loss that could result. However, if the breach disclosed only the names of individuals, it might not result in serious harm.
When is a data breach an eligible data breach?
An eligible data breach could occur if:
- an employee of an entity opens an email containing a virus that consequently allows the hacker to access the organisation’s information
- a data file containing personal information is mistakenly sent to the incorrect recipient
- a USB stick containing relevant information is left in a public space.
Circumstances in which personal information may be lost but where subsequent unauthorised access to disclosure is unlikely to occur could be where:
- personal information is encrypted to an extent that would make access to or disclosure difficult
- the information was remotely deleted before unauthorised access could occur.
However, it is possible to avoid having a privacy breach be considered an eligible data breach. If your business acts quickly to mitigate an eligible data breach and the breach is not likely to result in serious harm, no notification needs to be made.
What will you have to do if you suspect there is an eligible data breach?
If you are aware of reasonable grounds to suspect that there is an eligible data breach in relation to your business, you will need carry out a reasonable and expeditious assessment of whether there are in fact reasonable grounds to believe that the relevant circumstances amount to an eligible data breach. You must take all reasonable steps to complete the assessment within 30 days of becoming aware of the possible breach.
What will you need to do if there is an eligible data breach?
If there has been an eligible data breach, you will need to prepare a statement that includes the identity of the entity that suffered the eligible data breach, a description of the eligible data breach, the kinds of information that have been accessed, disclosed or lost, and the recommended steps that affected individuals should take in response. You will need to provide this statement to the affected individuals and the Privacy Commissioner as soon as practicable following the preparation of the statement.
There are benefits of notifying the Privacy Commissioner, including the fact that such action is likely to be viewed favourably by the public and it can assist the Commissioner to respond to inquiries made by the public and manage any complaints that may be received as a result of the breach.
A breach of these mandatory breach notification provisions constitutes an interference with the privacy of an individual. Serious or repeated offences are punishable by a civil penalty of up to $1.7 million.
If you would like more information about privacy breaches or the Privacy Act more generally, please contact Peter North, Director, or Caroline James, Lawyer of the Business practice group on 03 9629 9629.