The Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 (Act) is the latest amendment to the Privacy Act 1988. The Australian Law Reform Commission first reviewed the concept and idea of data breach in 2008 . However, after lengthy delays and a 4-year passage through Parliament that started all the way back in 2013, the Act now brings Australia in line with other countries in the world that have long had mandatory data breach laws. But what does the amendment mean for you?
In summary, an eligible data breach means that there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an accountable organisation; and the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates. An organization or businesses with an annual turnover of $3,000,000 or more (and some small businesses) must give notification if it has reasonable grounds to believe that an eligible data breach has happened; or if it is directed by the Privacy Commissioner to do so.
The Notifiable Data Breach (NDB) Scheme only requires organisations to notify when there is a data breach (eg unauthorised access, unauthorised disclosure) that is likely to result in serious harm to any individual to whom the information relates. Exceptions to the NDB scheme will apply for some data breaches, meaning that notification to individuals or to the Commissioner may not be required.
Under the NDB Scheme, serious harm will be assessed as having regard to the kinds of information involved, its sensitivity, whether it was protected (including by encryption and access controls), and the kinds of persons who have obtained the information. The objective test will apply to assess reasonableness, meaning that what is reasonable is a question of fact in each individual case.
For more information on whether your business applies and what the relevant penalties may be, please contact Priority Business Lawyers to discuss and consider updating your Privacy Statement.