If you store personal information of any kind you have strict obligations under the Privacy Act not to disclosure that information to third parties. Systems, however, can be breached.
New mandatory data breach notification requirements have been passed that mean that from the 22nd February 2018 there will be a formal legal requirement to provide notice of any serious breach to affected individuals and the Privacy Commissioner.
Do All Data Breaches Require Notification?
Not all data breaches will require notifications. In order to trigger the notification requirement a reasonable person would need to conclude that there has been unauthorised access to, unauthorised disclosure of, or loss of, personal information held by the entity, and this would likely result in serious harm being caused to any of the individuals to whom the information relates.
Serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.
In deciding whether a breach ‘will likely result in serious harm’, entities are required to have regard to a list of relevant matters outlined in section 26WA. Such matters include the kind of information leaked, the sensitivity of the information, the kind of persons who may have obtained the information and whether the information has been otherwise protected.
Without limiting the effect of the Act, things like credit card or account details and medical information are likely to give rise to the risk of harm.
If you believe there are reasonable grounds to suspect there may have been an eligible data breach, then you must carry out an expeditious and reasonable assessment within 30 days. If such a breach is found to have occurred then, unless an exception applies, you must as soon as reasonably practicable prepare a statement to give to the Commissioner, and must take all reasonable steps to notify each of the individuals whose information has been breached.
What Are The Penalties For Non-Compliance?
Fines for breaches of the Act can be significant. Failure to comply with the requirement to notify will be deemed to be a serious interference with the privacy of an individual for the purposes of section 13G of the Privacy Act. The penalties for seriously interfering with the privacy of an individual are fines:
Current Penalty |
Up to $360,000 for an individual |
Up to $1.8 million for a body corporate |
|
Parliament has recently proposed that this be increased to the following from 1 July 2017: |
|
Proposed Penalty from 1 July 2017 |
Up to $420,000 for an individual |
Up to $2.1 million for a body corporate |