Significant new reporting obligations are set to apply to Australian businesses from 22 February this year. With the introduction of the Notifiable Data Breaches (NDB) Scheme, Australian businesses will be required to report data breaches.
Morrissey Law & Advisory has prepared a short guide to assist businesses to prepare for the introduction of the incoming amendments.
The incoming legislation
The Privacy Amendment (Notifiable Data Breaches) Act 2017 amends the Privacy Act 1988, which regulates how personal information is handled.
This Act defines personal information as:
“…information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.”
Who must comply with the NDB scheme?
The NDB scheme will apply to government agencies, and all businesses and not-for-profit organisations with an annual turnover of $3 million or more.
When must an entity give notification?
Australian businesses will be required to give a notification if there are reasonable grounds to believe an eligible data breach has happened, or if directed to by the Information Commissioner.
An eligible data breach is when:
- There is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
When is an eligible data breach likely to result in serious harm?
When assessing if an eligible breach is likely to lead to serious harm to an individual whose information is held in the breached system, the following factors must be taken into account:
- The kind or kinds of information held;
- The sensitivity of that information;
- Whether the information is protected by security measures and the likelihood such security measures could be overcome;
- The people, or kinds of people, who have obtained or could obtain the information; and
- The nature of the potential harm.
How to give notification?
When an entity becomes aware that there are reasonable grounds to believe that there has been an eligible breach, the entity must prepare a statement which sets out:
- The identity and contact details of the entity,
- A description of the eligible data breach,
- The kind or kinds of information concerned, and
- Recommendations about the steps that individuals should take in response to the eligible data breach.
The entity must do this as soon as practicable after becoming aware of the breach and must also provide the Commissioner with a copy of the statement.
If practicable, the entity must notify each individual, to whom the relevant information relates or who are at risk from the eligible data breach, of the contents of the statement.
The following link will guide you through the formulation of an Eligible Data Breach Statement:
The effects on businesses
The overriding purpose of the incoming amendment is to prompt Australian businesses to not only be more careful with sensitive information, but to identify the long term economic value in investing in systems which ensure personal information is well protected.
A proactive step that will surely prove beneficial in an increasingly unpredictable cyber age is the implementation of a Data Breach Response Plan.
Along with its functions of receiving notifications and encouraging compliance with the scheme, the Office of the Australian Information Commissioner also provides guidance to businesses in preparing for breaches. A helpful guide can be found here:
Penalties for not complying with the new notification laws can be as steep as $360,000 for company directors and officers, and as much as $1.8 million for companies.
If you have any questions regarding the introduction of the new legislation, or want assistance in navigating the legislation and the steps your business should take to ensure it complies with the legislation, contact Morrissey Law & Advisory on (02) 8077 0668 or (02) 4038 1620.
(This article was prepared by Michael Morrissey, Principal, with assistance from Patrick Ireland, Paralegal.)
Disclaimer: This publication by Morrissey Law & Advisory is for general information and commentary only and should not be considered or relied upon as legal advice. Formal legal advice should be sought in relation to any matters or transactions that may arise in relation with communication.