New Privacy Laws - Comply Now or Pay the Penalty

New mandatory data breach notification laws 

As of 22 February 2018, all organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Cth) ("Privacy Act") will be required to comply with the new Notifiable Data Breach Scheme ("NDB Scheme"). This includes all businesses with an annual turnover of more than $3,000,000. 

Under the NDB Scheme, where there has been: 

  1. Unauthorised access to or unauthorised disclosure of personal information; and 
  2. A 'reasonable person' would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; 

    OR

  3. Where there is loss of personal information and unauthorised access to or unauthorised disclosure of the personal information is likely to occur; and 
  4. Assuming that unauthorised access to, or unauthorised disclosure of, the personal information were to occur, a 'reasonable person' would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; 

    AND
  1. If 1 – 2 above applies; and you do not take action before the access or disclosure results in serious harm to any of the individuals to whom the information relates such that a 'reasonable person' would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals;  

    OR 

  2. If 3 – 4 above applies; and you do not take action before there is unauthorised access to, or unauthorised disclosure of the information a result of which there is no unauthorised access to or unauthorised disclosure of, the information; 

then, an 'eligible data breach' has occurred. 

Various factors are to be taken into account as to whether a 'reasonable person' would conclude that access to, or a disclosure of information would be likely to result in serious harm. These include the kind, nature and sensitivity of the information and the persons or kinds of persons who have obtained or could obtain the information. 

Even if you do not believe that the relevant circumstances amount to an eligible data breach, you must still carry out a reasonable and expeditious assessment of whether it is one and take all reasonable steps to ensure that this assessment is conducted within thirty (30) days after becoming aware of the reasonable grounds to suspect that there may have been a breach. 

If you are aware of reasonable grounds to believe that there has been an eligible data breach you must: 

  1. send a detailed written statement to the Office of the Australian Information Commissioner (Privacy Commissioner); and 
  2. as soon as practicable thereafter:
    a. if practicable to notify the contents of the statement to each of the individuals to whom the relevant information relates – take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information relates; or
    b. if it is practicable to notify the contents of the statement of each of the individuals who are at risk from the eligible data breach – take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach; or
    c. if neither 2.a. or 2.b. applies, publish a copy of the statement on your website and take reasonable steps to publicise the contents of the same. 

A failure to comply with the NDB Scheme will be governed by the Privacy Act's existing enforcement and civil penalty framework. Accordingly, an individual or company may be subject to anything from investigations to, in the event of serious or repeated non-compliance, substantial civil penalties (Up to $2,100,000.00 for companies and $420,000.00 for individuals). 

Tips 

This is a radical change to the existing law. We now recommend that if you will have NDB Scheme obligations, you put in place and adopt the following: 

  1. Robust data protection systems; 
  2. Robust procedures (and policies) dealing with data breaches. 

We note that this article is not an exhaustive summary of all the new privacy laws and requirements. If you want specific advice about the Notifiable Data Breach Scheme or the new privacy laws please don't hesitate to contact us on 02 9262 4471 or gavin@gpalaw.com.au.


Authored by Gavin Parsons and Dan Rappoport of Gavin Parsons and Associates

gavinparsonsadm

Date posted: 2018-02-09