What you need to know about mandatory data breach notification

By Miriam Stiel
Competition, Consumer & Regulatory Cyber Data & Privacy Disputes & Investigations Healthcare Intellectual Property Patents & Trade Marks

In brief

In response to the rising number of cyberattacks, new legislation has been introduced that proposes a mandatory notification regime that will take effect from February next year. Lawyer Mohamed Khairat reports.

What the changes mean

Under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (the Act), from 22 February 2018, Australian entities who have suffered an actual or suspected 'eligible data breach' will be required to notify the Office of the Australian Information Commissioner (OAIC). The consequences of not notifying range from reputational damage to a civil penalty of up to $2.1 million per breach. It is therefore vital for companies to be aware of what they need to do, how to do it and when.

What is an eligible data breach?

An eligible data breach includes incidents of unauthorised access, disclosure or loss of 'personal information' that is likely to result in 'serious harm' to any of the individuals to whom the information relates.

The definition of 'personal information' is taken from the Privacy Act 1988 (Cth) and covers names, addresses, health information, tax file numbers, credit information and sensitive information.

'Serious harm' is defined in the Act broadly to encompass anything from physical and psychological harm to economic and reputational harm. The extent of harm should be determined by the nature and sensitivity of the affected personal information, whether the personal information is encrypted and who possibly has access to the personal information.

Responding to an eligible data breach

Once an entity suspects an eligible data breach, it has 30 days to assess and determine whether or not there are reasonable grounds for it to believe the relevant circumstances amount to an eligible data breach. An entity must notify the OAIC as soon as reasonably practicable after it determines it has reasonable grounds to believe that an eligible data breach occurred. That notification must describe the data breach, the type of information concerned and recommendations about the steps that individuals should take in response to the data breach.

As soon as reasonably practicable, the entity must also notify the contents of the statement to any individuals affected, or at risk, by the eligible data breach.

Mitigating risk

If your organisation collects personal information (which it almost certainly does), these changes will affect you. Given the serious consequences of having to notify an eligible data breach, it is prudent to consider taking steps to mitigate the risk of such an event occurring, such as through technical measures (such as limiting access rights, regular password changes and ensuring computer systems and programs are up to date), training staff and conducting regular security audits.

The Act also underscores the need for appropriate action plans to deal with data breaches when detected. If a breach occurs, acting quickly can prevent it from escalating into an eligible data breach, for example, by limiting the harm caused such that a reasonable person would not consider the harm to be 'serious'.