Beware! Mandatory data breach notification laws will apply from 22 February 2018 to businesses covered by the Privacy Act
What does this mean?
First, you need to establish whether your business, regardless of its legal structure, has to comply with the requirements of the Privacy Act. If your business falls outside of the Privacy Act net, then you do not need to do anything further (although it may be prudent to take this opportunity to review your current security measures, data back-ups and processes for dealing with any potential data breaches).
If your business falls within the Privacy Act net, then you have until 22 February 2018 to put into place practices and procedures that are compliant with the Privacy Act and with the mandatory data breach notification rules in particular. Businesses covered by the Privacy Act are referred to as APP Entities – APP standing for Australian Privacy Principles.
Is my business covered by the Privacy Act?
All businesses with annual turnover of $3 million or higher are required to comply with the Privacy Act. Most small businesses (defined as having annual turnover below $3 million) will not have to comply with the Privacy Act, unless they fall into one of the exceptions for businesses that handle personal information, as detailed below.
Please note that the legal structure of your business is irrelevant in determining whether the Privacy Act applies – it is equally pertinent to individuals and other entities.
A small business with an annual turnover of $3 million or less will still have to comply with the Privacy Act if it is:
- a health service provider
- trading in personal information (e.g. buying or selling a mailing list)
- a contractor that provides services under a Commonwealth contract
- a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
- an operator of a residential tenancy database
- a credit reporting body
- employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
- businesses that conduct protection action ballots
- businesses that are related (as per the test in the Corporations Act) to a business that is covered by the Privacy Act
- businesses prescribed by the Privacy Regulation 2013; or
- businesses that have opted in to be covered by the Privacy Act.
If your business has an annual turnover of $3 million dollars or less and meets one of the criteria above, the Privacy Act will apply to your business or some aspects of it. To check whether you need to comply, you can complete the Privacy checklist for small business (listed at Appendix A here), or seek advice from your industry association or lawyer.
What do I need to do if my business is covered by the Privacy Act?
If your business is covered by the Privacy Act you will have to comply with the Australian Privacy Principles (APP). Additional resources in relation to the APP are available on the OAIC website here.
As part of the APP compliance process, you will need to ensure that your business is ready for the Notifiable Data Breaches Scheme which comes into effect from 22 February 2018.
What is the Notifiable Data Breaches Scheme?
The Notifiable Data Breaches Scheme (‘Scheme’) requires APP Entities (i.e. businesses covered by the Privacy Act) to provide notice as soon as practicable to the OAIC and affected individuals where there are reasonable grounds to believe that an "eligible data breach" has occurred (unless an exception applies).
- a data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, leaving the information on public transport);
- an eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure;
- serious harm, while undefined, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation; and
- serious harm will be likely if such harm is "more probable than not" having regard to a list of relevant matters included in the legislation, such as the sensitivity of the information, any security measures taken and how easily those security measures could be overcome.
Additional information is available on the Notifiable Data Breaches page of the OAIC website and is being updated as more details become available prior to the Scheme coming into effect.
Failure to comply with the Scheme will fall under the existing enforcement and civil penalty provisions of the Privacy Act, and may result in investigations and/or substantial penalties, especially in cases of serious or repeat non-compliance.
What does a business need to report under the Scheme in case of a breach?
Where an organisation becomes aware that there are reasonable grounds to believe an eligible data breach has occurred, they are obligated to notify individuals at risk of serious harm and the OAIC as soon as practicable. This notification must set out:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned and;
- recommendations about the steps individuals should take in response to the data breach.
Organisations that suspect a data breach may have occurred are required to undertake an assessment within 30 days to determine if the data breach is likely to result in serious harm. A longer period may be allowed if the investigation is particularly complex.
Detailed guidance in relation to the Notifiable Breaches Scheme and reporting breaches is available in the OAIC’s Guide to handling personal information security breaches.
Exceptions from the notification requirement
Not all data breaches are notifiable and there are certain exceptions. For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the OAIC.
Steps to take now
The above notification exception highlights the importance of early detection and having a pre-determined action plan to be able to identify and address any data breaches quickly. With less than 6 months left to go until the Scheme comes into effect, now is the time to review your security practices and procedures and identify any potential risks, such as an attack by hackers or inadvertent loss of information by employees.
You may also wish to investigate whether obtaining cyber insurance would be an appropriate step, to assist with costs in case of a breach. Cyber insurance covers the costs associated with a lot of types of potential IT breaches (although specific policies may vary so one size does not fit all).
The OAIC continues to publish new guidance and additional information is expected to be added to the OAIC website over the coming months, so keep an eye on it.
If you need any assistance with determining whether your business needs to comply with the Privacy Act requirements, please contact your Ruddicks adviser and we can assist you with the process.
Liability limited by a scheme approved under Professional Standards Legislation.
The contents of this publication are general in nature and we accept no responsibility for persons acting on information contained herein. The content of this newsletter does not constitute specific advice and readers are encouraged to consult their Ruddicks adviser on any matters of interest.
Any advice provided is not ‘financial product advice’ as defined by the Corporations Act. Ruddicks is not licensed to provide financial product advice and taxation is only one of the matters that you need to consider when making a decision on a financial product. You should consider seeking advice from an Australian Financial Services licensee before making any decisions in relation to a financial product. © Ruddicks 2017