The information in this article should be treated as a guide only and not legal advice. Please seek professional legal advice should you require further clarification.

The quick summary

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the Senate as an amendment to the Australian Privacy Act 1988 (Cth) and will come into effect on February 22, 2018. Australian companies regulated by the Privacy Act should take the opportunity to review their existing data breach policies and procedures to assess their compliance with the new NDB scheme.

What is a data breach?

  • Personal information is lost or obtained by an unauthorised person

What is a Notifiable data breach?

  • A data breach that is likely to result in serious harm

Examples of a data breach include when:

  • a device containing customers’ personal information is lost or stolen
  • a database containing personal information is hacked
  • personal information is mistakenly provided to the wrong person

What is an eligible data breach?

How do you assess a suspected breach?

  1. Take whatever steps possible to immediately contain the breach
  2. Carry out a reasonable and expeditious assessment within 30 days
  3. Identify whether the breach was unauthorised access or disclosure, or loss of information
  4. Identify whether the breach will result in serious harm
  5. Identify your remedial action

How do you notify OAIC and affected individuals?

1. Prepare a draft statement with the following:

  • identity and contact details of the entity
  • description of the breach
  • description of the information concerned
  • recommendations for individuals

2. Provide a statement to the Office of the Australian Information Commissioner

3. Provide notification to individuals

Legal ramifications for data breaches

You will need to consider the following

  • Privacy laws
  • Reputational risk
  • Business interruption impact and losses
  • Civil action by individuals
  • Sector-specific regulations
  • Competition & Consumer Act
  • Disclosure obligations under listing rules
  • Director’s duties

Australian Privacy Principles

APP 11.1

If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

a) from misuse, interference and loss; and
b) from unauthorised access, modification or disclosure

Further reading:

Guide to securing personal information – Office of the Australian Information Commissioner

Specific enforcement powers of the OAIC

  • Failure to comply with the NDBS could be deemed to be a ‘serious interference with the privacy of an individual
  • Serious interference = Penalties of up to A$2.1 million for a body corporate
  • Other enforcement powers of the Commissioner include:
    • Making a determination requiring the payment of compensation for damages or other remedies, such as the provision of access or the issuance of an apology
    • Accept an enforceable undertaking
    • Seek an injunction regarding conduct that would contravene the Privacy Act

What can you do?

  • Be mindful of your data handling processes
    • What’s coming in and going out? Do a data audit
    • What’s the flow of personal information in and out of your organisation?
  • Have a data breach response plan
    • 30% of breaches come from 3rd parties that use that breach to access systems

Is the EU’s General Data Protection Regulation (GDPR) relevant in Australia?

There are huge fines applicable under the GDPR and they can affect Australian businesses.

Can an EU Customer buy from you?

If so, the GDPR applies to your business! If you sell to the EU or have an office in the EU (even without personal data being held in that office), the GDPR will apply.

Do you track EU users online and use data tracking to determine their preferences?

Then the GDPR applies to you.

Can Rock IT help?

Rock IT can help you define your Cybersecurity Posture along with helping with certain IT policies. We recommend you speak with a legal professional if you have specific queries about the amendments to the Privacy Act and/or the EU’s GDPR.