Privacy law update – data breaches must now be notified

It is time to review your cyber security posture

Starting today, the Privacy Act 1988 (Cth) requires agencies and organisations to notify affected individuals of certain data breaches. This fundamentally changes the risk profile around compliance with the Privacy Act.

The amendments require notification where there has been an ‘eligible data breach’. This occurs where there is either unauthorised access to, or disclosure of, personal information (including some deemed forms of personal information), or loss of information that is likely to lead to unauthorised access or disclosure (breach), and that breach would lead a reasonable person to conclude that it is likely to result in serious harm to the affected individuals. Harm can take many forms, including physical, emotional, reputational or financial.

The duty to notify is not absolute, however. There are some exceptions. The first is in the definition of ‘eligible data breach’ itself. While there is a degree of objectivity, there will clearly be the need to make an assessment about the likely seriousness of any breach. There is a non-exhaustive list of matters to consider in this regard, but if there is no likely risk of serious harm, then no notification is required.

If a party suspects there has been a breach but does not yet have grounds to believe it has occurred, it must conduct an assessment rather than immediately notifying. Typically, it is expected this assessment should occur within 30 days.

Further, if there has been a breach, but the party has taken steps to remove the effect of the breach before harm occurs (for instance, because a lost device can be remotely wiped), then the breach need not be notified.

Also, if there are multiple parties involved in a breach – for instance, through an outsourcing or cloud arrangement – only one party needs to make the notification.

Finally, there are some exceptions for law enforcement and government agencies.

If you do have to notify, then there are issues of timing and form that must be addressed. You must prepare a notice that covers specified matters, and provide it to the Australian Information Commissioner (the Commissioner) as soon as reasonably practicable. That is a variable time frame that will depend on the particular circumstances, and it may be that we receive guidance from the Commissioner in due course about what is expected.

The notice must contain:

• the identity and contact details of your business
• a description of the breach
• the type of information that was disclosed, and
• recommendations about the steps individuals should take in response to the breach.

In addition to providing it to the Commissioner, you must also notify the affected individuals using the usual method of communication between you and the individual, and if you are unable to individually notify, publish the notice on your website and take reasonable steps to publicise the notification.

If you fail to comply with the new notification obligations, then the usual range of remedies under the Privacy Act are available, including investigation by the Commissioner, court-enforceable undertakings, orders for compensation, and penalties of up to $2.1 million.

What to do now

Clearly this new regime involves a significant changing of the privacy landscape. Businesses will be more publicly accountable for data breaches, and must be far more open with individuals in their communications about data breaches.

While to an extent this will inevitably lead to a ‘normalisation’ of breach notifications, this is cold comfort for anyone having to go through the notification process. It will be critical to be ready to deal with notification obligations swiftly and professionally, and so we recommend putting in place a data breach response plan to ensure the procedural aspects of notification and breach response are addressed. More importantly still, we also recommend recognising that prevention is better than cure, and taking the opportunity to review your cyber security posture generally to reduce the risk of a breach happening in the first place.

Our privacy experts can help you at every stage of the process.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.