Mandatory data breach notification

We recently had one of our broker partners experience a data breach, which was caused by a simple mistake. However, under the new data breach laws, this was a notifiable breach - meaning we had to report it to the Privacy Commissioner.

Please read the information below to make sure you don't fall foul of this new regime, and are ready to act.

The Australian Government has established a Notifiable Data Breaches (NDB) scheme, to ensure that affected individuals are notified about serious data breaches. The NDB scheme will apply to all businesses, government agencies and other organisations covered by the Australian Privacy Act 1988 and will commence on 22 February 2018.

"Eligible Data Breach"
The new regime will require notification of "eligible data breaches". These are defined as data breaches, including data loss incidents, where a reasonable person would conclude that the breach would be likely to result in serious harm to any of the affected individuals. Serious harm could include physical, psychological, emotional, economic and financial harm, and harm to reputation.

In assessing harm, an organisation is required to have regard to a list of relevant matters such as the nature of the information, the sensitivity of the information, the kind of persons who may have obtained the information and whether the information has been protected.

Notifications obligations
If there are reasonable grounds to suspect that an eligible data breach has occurred, an organisation must:

  • within 30 days, carry out a "reasonable and expeditious" assessment as to whether there has been an eligible data breach; and
  • if an eligible data breach has occurred, notify affected individuals as soon as practicable, with a notification containing certain prescribed information, including:
    • the identity of the organisation;
    • the description of the breach;
    • the kind of information concerned; and
    • recommendations to the individual as to steps to take in response to the breach.

Where notification is required, the organisation must notify both the affected individuals and the Australian Privacy Commissioner.

There are several exceptions to the notification regime:

  1. Where an organisation has taken remedial action to address potential harm to individuals that may arise due to a data breach before any serious harm is caused, the breach will not be an eligible data breach and the obligation to notify will not apply.
  2. Other exceptions covering law enforcement, commonwealth secrecy requirements, data breaches impacting multiple entities and declarations by the Commissioner.

Consequences of non-compliance
The current penalty is up to $360,000 for an individual or up to $1.8 million for a body corporate. Parliament has recently proposed that this be increased up to $420,000 for an individual and up to
$2.1 million for a body corporate from 1 July 2017.