Australia’s privacy legislation is being overhauled, with the introduction of new protections designed for the digital age. From 22 February, the new laws – which place data breach notification obligations on some organisations – start operating.
1. The notifiable data breaches scheme is law
The Australian Parliament passed laws to introduce a mandatory data breach notification scheme last year, and from 22 February 2018 these laws will start operating.
2. Increased confidence in a digital world is the aim
Like other similar schemes throughout the world, Australia's data breach notification scheme aims to give increased confidence to individuals that if they're affected by a data breach, they'll know they're affected and have a chance to protect their interests.
3. The scheme only applies to certain organisations
The new laws amend the Australian Privacy Act 1988 and apply to organisations governed by that Act. These organisations include Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients.
4. “Eligible data breaches” trigger the obligation to notify
The new laws provide that an eligible data breach happens when:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity, and
- a reasonable person would conclude that the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Whether the access, disclosure or loss is likely to result in serious harm depends on the circumstances of the breach including the nature or sensitivity of the information, whether the information is protected by security measures and who could obtain access to the information.
If an eligible data breach occurs, you must prepare a statement for the Office of the Australian Information Commissioner and, where practicable, take reasonable steps to notify the contents of that statement to each of those affected by the data breach, or if that is not practicable, publish and publicise a copy of the statement on your website.
If the Commissioner has reasonable grounds to believe an eligible data breach has occurred, the Commissioner can also direct that a notification be made.
5. If you suspect a breach you must investigate it
If there are reasonable grounds to suspect an eligible data breach may have occurred, but you are not aware that the circumstances amount to an eligible data breach the notification obligation doesn't immediately arise. However, a "reasonable and expeditious" assessment into the relevant circumstances must be conducted within 30 days.
6. It pays to be proactive
The notification requirements can be avoided if, when a breach is detected, remedial action is taken before serious harm occurs.
7. Beware: severe penalties may apply
Failure to comply with the scheme can mean you're interfering with the privacy of an individual – something which can attract a fine of up to $2.1 million under the privacy legislation.
Understanding these changes will not just help you comply with the new regime; for businesses with European customers, this is also a step towards understanding and complying with the more stringent European General Data Protection Regulation which commences in May.
Register for the SAI Global Mandatory Data Breach Reporting Scheme webinar and learn more about these important changes and how you can use technology and build a compliant and secure culture to mitigate data breaches.
Notifiable Data Breaches scheme
Australia's new mandatory data breach notification regime: how to prepare your business
Take notice – mandatory data breach notification laws to take effect by 23 February 2018
In-house counsel: Preparing for Australia's Mandatory Data Breach Reporting Scheme
Privacy Amendment (Notifiable data breaches) Bill 2016
Privacy Amendment (Notifiable Data Breaches) Act 2017
Privacy Act 1988