New privacy obligations – the data breach notification scheme

by Imogen Thomas

Privacy and protection of personal information is riding high in the public eye after a number of high-profile breaches over the past six months. As consumers, it is important to have a good understanding of how your personal information is being handled and we rightfully expect that organisations will look after our personal information with due care. For businesses, the requirement to protect personal information of your staff, clients and stakeholders is not just a social expectation – there are legal requirements in place to ensure you manage personal information safely and appropriately.

On 22 February 2018, the Notifiable Data Breaches (NDB) scheme came into force in Australia, bringing with it some new obligations for agencies and organisations subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The scheme introduces an obligation to notify individuals and the Office of the Australian Information Commissioner (OAIC, the national privacy regulator) when a data breach occurs that carries a risk of serious harm. The notification should include guidance on how to reduce the potential harm of the breach.

Privacy refresh – what are the APPs?

The APPs are a framework of privacy obligations that apply to all Commonwealth government agencies, private sector, not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively, ‘APP entities’).

The APPs follow the lifecycle of ‘personal information’ from collection through to use and disclosure, to eventual destruction or disposal. An overview can be found on the OAIC website.

If an APP entity breaches an APP, this is called an ‘interference with the privacy of an individual’. Interferences with privacy can lead to complaints and in some circumstances, compensation may be awarded to the individual. Over recent years, awards of compensation have ranged from $1,000 to over $20,000.

Not sure if the APPs apply to your organisation or if your privacy practices are up to standard? Contact elringtons for assistance and advice on meeting your privacy obligations.

New obligations

The NDB scheme applies to “eligible data breaches”, which are breaches that are likely to result in serious harm to an affected individual. Unless an exception applies, the APP entity is required to notify the affected individual(s) and the OAIC that the breach has occurred, so that action can be taken to mitigate any potential harm.

Notifications must include the following information:

  • Identity and contact details of the organisation;
  • Description of the data breach
  • The type or kind of information concerned; and
  • Recommendations about steps that individuals should take in response to the breach.

The OAIC has a specific form for notifying the Commissioner of notifiable data breaches.

Breaking it down

A “breach” includes an unauthorised access to, disclosure of or loss of personal information. A breach may be as simple as sending a letter to the wrong person or leaving a memory stick or a briefcase on the train. Although the thought of a “data breach” often conjures up thoughts of computer hackers or determined criminals, the reality is that they most commonly occur due to simple human error.

Not every breach will require notification. If a breach has occurred, the next question to consider will be whether serious harm is likely to occur as a result. Serious harm includes physical, psychological, emotional, financial or reputational harm. The Privacy Act sets out a number of relevant matters to assist in assessing whether serious harm is likely to occur, including the kind(s) and sensitivity of the information, what other security measures exist (e.g. is the information encrypted), the nature of the harm that may result and the likelihood that a person who could have obtained the information would have the intention of causing harm to any of the individual.

There are some exceptions to the notification requirements, including where the data breach involves more than one entity. In those circumstances, only one entity is required to undertake notification.

Prevention is better than a cure! elringtons can provide advice and guidance on best privacy practices, including undertaking privacy impact assessments or delivering training to your staff, to help your organisation manage privacy carefully and responsibly.

e: ithomas@elringtons.com.au | p: +61 6206 1300