(07) 5592 1921

Contact us - Sidebar


Request an appointment

Notifiable data breaches: do they affect your business?

On 22 February 2018, new laws in respect of notifiable data breaches take effect altering the Privacy Act 1988 (Cth) (‘Privacy Act’) to impose additional obligations on businesses it impacts (‘APP Entities’).

Effectively the new legislation requires that if an APP Entity experiences an ‘Eligible Data Breach’ and unless an exemption applies, it is obligated to report the breach in a specific way, both to the Office of the Australian Information Commissioner (‘OAIC’) and the individuals affected by the breach.

The new laws are designed to allow individuals whose information has been compromised to take steps to mitigate the damage.  There is, however, a degree of discretion for APP Entities such that they may only be required to report data breaches where the breach could result in serious harm.

1. Identifying and mitigating potential breaches

Should a potential breach be identified, an EPP Entity should first take steps to contain the breach and/or mitigate the risk of harm.  Taking prompt action may allow an entity to avoid disclosing a breach on the basis they have prevented it from becoming an ‘Eligible Data Breach’.

An Eligible Data Breach is a breach where there is:

The importance of taking mitigation steps towards avoiding a potential breach becoming an Eligible Data Breach (‘Remedial Action’) is discussed further below at section 4.

2. Does it require reporting?

Regardless of whether the above process mitigates a potential breach, an APP Entity must consider whether it has ‘reasonable grounds’ to believe that the breach requires disclosure.  Determining what is reasonable should be formalised into an assessment process that forms part of a business’ data handling policies (eg data collection, privacy, and so on) (‘Assessment’).

Importantly, the Act requires that an Assessment be undertaken even where there are merely reasonable grounds to suspect that there has been a relevant data breach.  Should the Assessment substantiate suspicions (ie such that they become a reasonable belief), it may be the case that the situation must be reported to the OAIC within 30 days (should serious harm be likely).

3. What is serious harm?

Serious harm can include serious physical, psychological, emotional, economic, financial or even reputational harm.

The standard for whether harm is likely to result turns on factors including:

Should an APP Entity consider following Assessment that an Eligible Data Breach has occurred, the notification obligations are triggered pursuant to the Privacy Act.

4. Sensitive information

Any sensitive information is, per the guidance of the OAIC, more likely to bring about serious harm should Unauthorised Conduct occur.   Sensitive information can include, for example, information of (‘Sensitive Information’):

Should a breach involve Sensitive Information, best practice dictates that Assessment err on the side of caution in determining whether an Eligible Data Breach has occurred.

5. Do any exemptions apply?

Notwithstanding the above, should exemptions apply, an APP Entity may not be required to make disclosure.  Exemptions include:

6. Providing notification

Should there be an Eligible Data Breach and no exemptions apply, an APP Entity must promptly notify the Commissioner and affected or at-risk individuals via a statement in the prescribed from setting out (‘Notice’):

The Commissioner must be notified ‘as soon as practicable’.  This timeframe is influenced by a number of factors including an APP Entity’s circumstances, the time and effort required to comply with notification requirements, associated costs, and so on.

The OAIC operates on the basis that an APP Entity should comply with notification requirements promptly, unless there are vitiating circumstances that impact its ability to do so.

Should it not be practicable to provide Notice to each affected or at-risk individual, it may be possible to satisfy the notification requirements by publishing the Notice on the website of the relevant APP Entity and taking reasonable steps to publicise its contents.

7. Penalties

Should an APP Entity fail to comply with notification requirements, the Commissioner has the ability to do some or all of the following:

8. How should businesses respond?  

Once the amendments to the Privacy Act are operational, it is a requirement that all APP Entities comply with the new laws.

(a) Data response plan

The Privacy Act provides that an organisation to which it applies must take reasonable steps to protect the personal information it holds from misuse, interference, loss, unauthorised access, modification or disclosure.  The OAIC considers that the requirement to undertake ‘reasonable steps’ may include preparing and implementing a data response plan.  Data response plans are also an ideal way to ensure an APP Entity complies with its obligations to investigate potential breaches and mitigate damage.

A data response plan should include strategies for:

(b) Compliance check

The amendments also serve as a timely reminder for businesses to review whether the Privacy Act applies to your business and the state of your current privacy policy.  Of particular concern from a legal perspective are policies that are:

In light of the new amendments to the Privacy Act, data response plans are recommended for any businesses captured by the Privacy Act or that collect personal or Sensitive Information.

Ramsden Lawyers now offers privacy compliance checks on your business’ current preparedness to comply with the amendments and the Privacy Act generally.  Should they be required, we can also assist you in developing assessment criteria for assessing potential Eligible Data Breaches or drafting/editing privacy policies.

Ramsden Lawyers’ Business Team regularly assists small to medium businesses in achieving compliance with the Privacy Act.  Should you have any concerns in relation to the above please do not hesitate to contact us via our online enquiry system or alternatively on (07) 5592 1921.