Mandatory Data Breach Notification Bill Passed
It is the Bill that has done the rounds of Parliament and been the subject of much anticipation and commentary. Privacy nerds everywhere (read: Griffin Legal staff) were waiting with bated breath to see if the latest amendments to the Privacy Act 1988 (Cth) would be passed.
On 13 February 2017, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Notifiable Data Breaches Bill) was passed by the Senate. The Bill will become law within the next 12 months.
The Notifiable Data Breaches Bill follows persuasive reports from both the Parliamentary Joint Committee on Intelligence and Security’s Advisory and the Australian Law Reform Commission to enact such laws.
The notification scheme will require those organisations and agencies regulated by the Privacy Act 1988 (Cth) and the Australian Privacy Principles to report any “eligible data breaches” to the Australian Privacy and Information Commissioner and to notify impacted individuals as soon as possible.
In theory, this mandatory notification scheme seeks to establish a well-balanced privacy framework that provides a safer and more transparent method of dealing with data breaches.
When is notification required?
Pursuant to the new Act, entities are required to notify the Australian Information Commissioner and affected individuals if there has been an “eligible data breach”. An eligible data breach occurs when:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; or
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Furthermore, an entity must give notification if:
- it has reasonable grounds to believe that an eligible data breach has happened; or
- it is directed to do so by the Commissioner.
How do you assess whether the data breach is “likely to result in serious harm”?
An individual has been the subject of an eligible data breach, and is at risk,when a reasonable person would conclude that the access or disclosure to the personal information would be likely to result in serious harm to any of the individuals to whom the information relates.Factors which may be considered in determining whether a reasonable person would conclude that an access to, or a disclosure of, information would be likely to result in serious harm to the individuals to whom the information relates, includes:
- the kind of information;
- the sensitivity of the information;
- whether the information is protected by one or more security measures and the likelihood that any such measures could be overcome (i.e. encryption);
- the persons, or the kinds of persons, who have obtained, or who could obtain, the information; and
- the nature of the harm.
What is included in a notification?
Your next steps
The passing of the Notifiable Data Breaches Bill was welcomed by the Information Commissioner, Tim Pilgrim. In a recent media report, Mr Pilgrim noted:
Although the mandatory notification scheme is not yet operative, a prudent response would be to start adopting these changes now.
For assistance in developing or updating your agencies or organisations data breach response plan, please contact Carina.Zeccola@griffinlegal.com.au.