From 22 February this year your company may be required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if personal information held by your company is accessed, lost or disclosed in circumstances that are likely to result in serious harm to the individuals affected.
What are the changes?
Under the new Notifiable Data Breach scheme (NDB), agencies and organisations with existing personal information obligations under the Privacy Act 1988 (the Act) will be required to alert the OAIC and all affected persons if personal information is involved in a data breach.
What are data breaches involving personal information?
Personal information is defined under s 6(1) of the Act as:
‘Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
There are various types of personal information recognised under the Act including ‘sensitive information’ (e.g. information or opinion about an individual’s racial or ethnic origin, political opinions, religious beliefs, sexual orientation) ‘health information’, ‘credit information’, ‘employee record information’ amongst others.
Who does it apply to?
The NDB scheme will apply to businesses, Australian Government agencies, and not-for-profit organisations with an annual turnover of $3 million or more and businesses which trade in personal information, among others (APP Entities).
When do I need to disclose a data breach?
Under the new scheme, APP Entities are required to provide notice as soon as practicable to affected individuals and the OAIC where there are reasonable grounds to believe that an “eligible data breach” has occurred (unless an exception applies).
This may occur in three main circumstances including:
How do I notify?
When an APP Entity has reasonable grounds to believe an eligible data breach has occurred, they must promptly notify any affected individuals at risk of serious harm, and the Commissioner of the OIAC should be notified via a Notifiable Data Breach form.
For more information on what to include in an eligible data breach statement see here.
What if I don’t notify?
APP Entities that do not comply with the notification obligations will be subject to the Privacy Act’s existing enforcement and civil penalty framework, which range from investigations to substantial civil penalties.
Some steps your company can take to reduce the risk include:
An effective response plan is an important tool for companies which collect personal information. If your company is successful in taking remedial action before any serious harm is caused it may be able to avoid the notification requirement and a penalty under the Act.
Additionally, consider the following strategies:
The OAIC’s Data breach notification — a guide to handling personal information security and Guide to developing a data breach response plan provides a best practice model. The OAIC also has a comprehensive Guide to securing personal information.
Ensure your business is protected today – get in touch with a professional at DVM Law to ensure you comply with the new laws.