There is no current legal obligation under the Privacy Act to notify either the Privacy Commissioner or affected individuals where you suffer a data breach. However, mandatory data breach notification laws will take effect in Australia from 22 February 2018.
The scheme applies to all Australian companies that are currently subject to the Privacy Act.
Where an entity is aware that there are reasonable grounds to believe that there has been an ‘eligible data breach’ of the entity it must notify the Privacy Commissioner and affected individuals.
In short, an 'eligible data breach' occurs where there is unauthorised access to, disclosure of or loss of personal information, which is likely to result in serious harm to affected individuals.
Depending on the circumstances, there are three options for notification to individuals to whom an eligible data breach relates:
- Option 1: notifying each of the individuals to whom the relevant information relates.
- Option 2: notifying only those individuals at risk of serious harm from the eligible data breach.
- Option 3: where neither options 1 or 2 are practicable, the entity must publish a copy of the prescribed matters on their website and take reasonable steps to publicise the contents of those statements.
A key exception to the notification obligation is where effective 'remedial action' has been taken before the breach causes serious harm.
- Updating internal processes: Review and implement your data breach response plans. The OAIC will release additional guidance over the next few months to help businesses and agencies prepare for changes.
- Third party providers: Businesses will need to consider the implications of the notification regime in relation to outsourcing or other arrangements with third parties who hold personal information for the organisation.
For more information on the mandatory data breach notification scheme, see our Focus: Worth the wait? Release of draft mandatory data breach notification laws from October 2016.