Privacy Act Changes

On 13 February 2017, Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) to introduce mandatory data breach reporting regime, requiring certain organisations to report “a serious data breach” to the Australian Information Commissioner. The scheme will apply to private organisations with a turnover of $3million or more,credit reporting bodies, credit providers and recipients of tax file number information. 

The Bill seeks to introduce a new obligation on relevant organisations to report a “serious data breach” to the Australian Information Commissioner and notify individuals whose data is affected by a breach.

So what exactly is a “serious breach”?

In simple terms, it is the unauthorised access or disclosure of

  • personal information;
  • credit reporting information, or
  • tax file information

and which puts the individuals affected at ‘real risk’ of serious harm.

Real risk is subjective test (much like determining what is a significant breach for AFSL holders) and takes into consideration factors such as the sensitivity of the disclosed information, any security measures attaching to that information and the type of security measures in place. The scope for ‘harm’ is broad and includes physical, psychological, emotional, reputational, economic and financial harm.

Notification

If a serious breach has occurred, an organisation must notify the Commissioner and affected individuals (and/or organisations) that it deems to be ‘at risk’. This must be done as soon as practicable after the organisation becomes aware that there are reasonable grounds to believe that a serious data breach has occurred. The notification must include:

–          the identity and contact details of the organisation;

–          description of the serious breach;

–          kinds of information concerned; and

–          recommendations about the steps that individuals should take in response to the serious data breach. 

Timeframe for reporting

Organisations will be required to report a serious breach within 30 days. Failure to do so may attract penalties of up to $340,000 for individuals and up to $1.7 million for organisations.

Exceptions:

The Bill provides for circumstances where it may be impracticable to provide sufficient notice to affected individuals or entities.  In such cases, an organisation will not be required to provide notice directly to each affected individual; but will be required to publish information about the breach on its website and take reasonable steps to publicise the information.

Alternatively, if an organisation has taken remedial steps following a potential or actual eligible data breach, it is also exempt from the requirement to notify the Commissioner of the breach. The Commissioner also has the discretion to provide an exemption where the Commissioner is satisfied that it is reasonable in circumstances to do so.