7 things you need to know about Australia’s mandatory data breach reporting scheme

January 23, 2018

Australia’s privacy legislation is being overhauled, with the introduction of new protections designed for the digital age. From 22 February, the new laws – which place data breach notification obligations on some organisations – start operating.

1. The notifiable data breaches scheme is law

The Australian Parliament passed laws to introduce a mandatory data breach notification scheme last year, and from 22 February 2018 these laws will start operating.

2. Increased confidence in a digital world is the aim

Like other similar schemes throughout the world, Australia's data breach notification scheme aims to give increased confidence to individuals that if they're affected by a data breach, they'll know they're affected and have a chance to protect their interests.

3. The scheme only applies to certain organisations

The new laws amend the Australian Privacy Act 1988 and apply to organisations governed by that Act. These organisations include Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients.

4. “Eligible data breaches” trigger the obligation to notify

The new laws provide that an eligible data breach happens when:

  • there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity, and
  • a reasonable person would conclude that the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

Whether the access, disclosure or loss is likely to result in serious harm depends on the circumstances of the breach including the nature or sensitivity of the information, whether the information is protected by security measures and who could obtain access to the information.

If an eligible data breach occurs, you must prepare a statement for the Office of the Australian Information Commissioner and, where practicable, take reasonable steps to notify the contents of that statement to each of those affected by the data breach, or if that is not practicable, publish and publicise a copy of the statement on your website. 

If the Commissioner has reasonable grounds to believe an eligible data breach has occurred, the Commissioner can also direct that a notification be made.

5. If you suspect a breach you must investigate it

If there are reasonable grounds to suspect an eligible data breach may have occurred, but you are not aware that the circumstances amount to an eligible data breach the notification obligation doesn't immediately arise. However, a "reasonable and expeditious" assessment into the relevant circumstances must be conducted within 30 days.

6. It pays to be proactive

The notification requirements can be avoided if, when a breach is detected, remedial action is taken before serious harm occurs.

7. Beware: severe penalties may apply

Failure to comply with the scheme can mean you're interfering with the privacy of an individual - something which can attract a fine of up to $2.1 million under the privacy legislation.


Understanding these changes will not just help you comply with the new regime; for businesses with European customers, this is also a step towards understanding and complying with the more stringent European General Data Protection Regulation which commences in May.

Register for the SAI Global Mandatory Data Breach Reporting Scheme webinar and learn more about these important changes and how you can use technology and build a compliant and secure culture to mitigate data breaches.

Sources:

Notifiable Data Breaches scheme
https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

Australia's new mandatory data breach notification regime: how to prepare your business
https://www.clydeco.com/insight/article/australias-new-mandatory-data-breach-notification-regime-how-to-prepare-you

Take notice - mandatory data breach notification laws to take effect by 23 February 2018
https://www.claytonutz.com/knowledge/2017/march/take-notice-mandatory-data-breach-notification-laws-to-take-effect-by-23-february-2018

In-house counsel: Preparing for Australia's Mandatory Data Breach Reporting Scheme
http://insight.thomsonreuters.com.au/posts/data-breach-reporting-scheme

Privacy Amendment (Notifiable data breaches) Bill 2016
http://parlinfo.aph.gov.au/parlInfo/download/legislation/ems/r5747_ems_ed12b5bb-d3b3-4a6a-9536-53bb459a00df/upload_pdf/6000003.pdf;fileType=application%2Fpdf

Privacy Amendment (Notifiable Data Breaches) Act 2017
https://www.legislation.gov.au/Details/C2017A00012

Privacy Act 1988 
https://www.legislation.gov.au/Details/C2017C00283