The Federal Government has today passed the Privacy Amendment (Notifiable Data Breaches) Act 2016 to amend the Privacy Act 1988 to include mandatory notification of eligible data breaches.
This was the government’s third attempt at legislating data breach notification as a result of recommendations from the Australian Law Reform Commission in 2008. The rules are aimed at directing entities to become proactive in protecting their data, implementing data breach response plans and taking steps to protect individuals whose information has been compromised.
Update: The key amendments will commence 22nd February 2018.
As with many other requirements under the Privacy Act, serious and repeated breaches will be subject to enforcement action including civil penalty orders of up to $1.8 million.
When is notification required?
Those entities are now required to provide notification where the entity has reasonable grounds to believe that an ‘eligible data breach’ has occurred. An ‘eligible data breach’ happens where;
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals whom the information relates.
This new test for the requirement to notify a data breach is narrower than the ‘real risk of serious harm’ test which was found in the 2015 draft bill and in the Office of the Australian Information Commissioner’s (OAIC) best practice guide.1 The change is in response to feedback on the draft bill from stakeholders concerned about certainty and regulatory burden.
The amending Act does not define ‘serious harm’, but does list a number of relevant matters to assessing whether serious harm is likely, including the kind of information, sensitivity of the information, the security protections in place, the type of person or people who obtained the information and the nature of the harm. Applying these considerations, notification is more likely to be required in relation to a targeted hack to obtain consumer password data, rather than where an encrypted list of staff names and titles was accidentally emailed to a director of the company.
Notably, the amending Act does not mention the number of individuals affected by a data breach as being relevant to the assessment of whether serious harm is likely. In other words, harm to one individual can be enough.
In terms of the types of harm, the government has commented as follows:
It is expected that a likely risk of serious financial, economic or physical harm would be the most common likely forms of serious harm that may give rise to notification. Nonetheless, a reasonable person may conclude in some cases that a likely risk of serious psychological or emotional harm, serious harm to reputation or other serious harms … may exist. For example, this may be the case where an eligible data breach involves health information or other ‘sensitive information’.2