Australian businesses will soon be obliged to disclose any data breaches thanks to a new bill passed by Parliament. It is a welcomed change for many technology industry groups, but some businesses fear the implications of the added obligations they will face. Keep reading to find out what the change could mean for your business!
Background of the Bill
The long-awaited Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed in Australian Parliament on 13 February 2017. It amends the Privacy Act 1988 by introducing a mandatory data breach notification regime. This regime represents a significant change to data breach obligations as they currently exist.
Up until now, the Australian Information Commissioner (AIC) has encouraged businesses to voluntarily disclose of data breaches, but there has been no legal obligation to do so under the Privacy Act. Once this new Bill is effective, however, businesses will be obliged to disclose of all breaches to the Office of the AIC.
“Eligible Data Breach”
The Bill requires all eligible data breaches to be disclosed to the AIC. So what constitutes an ‘eligible data breach’? Broadly speaking, this occurs where:
- There has been unauthorised disclosure of, or access to, personal information and a reasonable person (objective test) would detect a likely risk of serious harm to the affected individual/s; or
- Personal information is lost in circumstances which are likely to give rise to unauthorised disclosure of, or access to, the information and a reasonable person would detect a likely risk of serious harm to the affected individual/s.
‘Serious harm’ can include physical, psychological, emotional, economic and financial harm.
Obligations for Businesses
Broadly speaking, under the new regime, businesses have notification responsibilities in relation to eligible data breaches. This obligation can be broken down into a more detailed list of duties:
- Businesses with reasonable grounds to believe that an eligible data breach has occurred must carry out a reasonable and expeditious assessment of the suspected breach. This must be completed within 30 days of the business becoming aware of the breach, where reasonably possible.
- After making the assessment, businesses must notify the AIC and affected individuals of the suspected ‘eligible data breach’. This process requires the business to:
- Prepare a statement which sets out the business’ identity and contact details, a description of the breach, the type of information concerned, and recommendations of actions to be taken in response to the breach;
- Provide a copy of the statement to the AIC;
- If practical, notify the contents of the statement to each person to whom the relevant information relates or are at risk from the breach; and
- If not practical to notify affected persons, publish a copy of the statement on the business’ website and take reasonable steps to publicise the statement.
Does the Bill Apply to my Business?
The Bill has the same application as the Privacy Act. That means if your business has responsibilities under the Privacy Act, it will also be subject to the new Bill.
So what types of businesses does this include?
- Australian Government Agencies
- Businesses and not-for-profit organisations with an annual turnover above $3 million.
- Private sector health services (including gyms, weight loss clinics, etc.)
- Educational and child care institutions (e.g. private schools, child care centres, etc.)
- Businesses that buy or sell personal information.
Even if your business falls outside the application of the Bill, it is still strongly advised that each and every business implements strategies to comply with the rules and aims of the new legislation. Businesses that do so will likely attract a favourable reputation from the AIC, as well as consumers. It will also help to combat the serious issue of data breaches in Australia.
Get Prepared Today!
All businesses should start preparing for the commencement of the new regime from NOW! You can get your business prepared by:
- Ensure all personnel with privacy and management responsibilities understand the effects of the notification regime and their responsibilities.
- Introduce procedures to manage compliance with the regime in case of a breach.
- Consider the implications of the regime in relation to outsourcing or other arrangements with third parties who hold personal information for your business.
Get in touch with us to get your business prepared for the legislative changes headed your way!
