Blog

Prepared by Brian J Tran

New data breaches privacy laws

As of 13 February 2017, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“the Bill”) was passed.

This Bill introduces further changes to our current Privacy legislation effective once formalised later this year in 2017.

Essentially, there are new legal obligations imposed upon organisations and government agencies relating to data breaches.

Compliance is important

Compliance can help organisations and agencies avoid fines of up to $1,800,000 for a corporation, or $360,000 for individuals.

Importantly, the new laws are designed to help us be more proactive against data breaches, and serious harm to individuals to whom information relates.

So if you ever believe or suspect there has been a data breach relating to personal information obtained by our business, please contact legal.

Data Breaches

Under the Bill, a data breach is defined as:

• Unauthorised access to
• Disclosure of, or
• Loss of

personal information which has been obtained.

Furthermore, the access to, disclosure of or loss of personal information must “likely” result in “serious harm” to any of the individuals to whom the information relates.

Under the Bill, the word “likely” is construed to mean more probable than not.

NB: personal information can include, for example, names, addresses, phone numbers, and other contact information, as well as financial information.

New Notification Obligations

In the event of a data breach, there are new notification obligations.

Currently, our privacy laws “encourage” notification of the Office of the Australian Information Commissioner (OAIC) where there has been a data breach.

However, the new laws will mean that it will be legally mandatory for organisations and agencies to notify the OAIC if it has reasonable grounds to believe that a data breach has occurred.

Exceptions

However, there are some exceptions.

Legal Enforcement Investigations

One exception includes data breaches during legal enforcement investigations, such as criminal investigations.

Serious Harm Unlikely – Action Already Taken

Another exception is where action has already been taken in relation to the data breach before any serious harm arises, and as a result, the access to, disclosure of or loss of personal information would not likely cause serious harm to any person affected.

Notification Already Issued

Importantly, one other key exception is where a notification in respect of the same data breach has already been issued to the OAIC.

For example, if a retailer holds personal information about a customer and that personal information was shared with its supplier, however subsequently a data breach occurred leading the retailer to notify OAIC, then under the new laws only a single notification from the retail would be required.

In such circumstances, the supplier would not need to provide further notification.

Suspicion of Data Breaches

Where there is no belief but only suspicion of a data breach, then under the new laws there is a new legal requirement to carry out an assessment to determine if there are reasonable grounds to believe that the circumstances will actually lead to a data breach.

Within 30 days of becoming aware of any reasonable grounds, this assessment will need to be carried out completely.

Links

New Bill:

http://parlinfo.aph.gov.au/parlInfo/download/legislation/bills/r5747_first-reps/toc_pdf/16158b01.pdf;fileType=application%2Fpdf