Bill passed requiring Data Breach notification
Australian enterprises and federal agencies now have 12 months to prepare to comply with Mandatory Data Breach Notification Laws, following the passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016 on Monday, February 13.
The new laws apply only to government agencies and organisations which are governed by the Privacy Act 1988. This means that state government organisations, local councils and territories, plus organisations with a turnover less than $3 million a year, fall outside the legislation.
The law will come into effect 12 months from the date of royal assent.
“All businesses and organisations should review their privacy and data security policies to ensure, when handling sensitive information, that they will be able to comply with the new Mandatory Data Breach Notification Laws when they come into force,” recommends Christopher Russo, a Lawyer at Maddocks
“Under the amendments, an affected organisation will be required to report the incident to the Office of the Australian Information Commissioner and to notify an affected party within 30 days as soon as the organisation becomes aware of any such data breach.
“The notification to the affected party must disclose the type of data breach, the particular information affected and how the affected party should respond to the data breach.”
There is an exception for situations where the entity takes remedial action before the access or disclosure results in serious harm. Other exceptions relate to law enforcement-related activities and the application of secrecy provisions in other laws.
The bill specifies that the statement to the OAIC must include a description of the data breach, the kinds of information involved, and recommendations for steps that those affected should take in response to the incident. Affected individuals must then be notified of the contents of the statement.
The OAIC may also direct an entity to provide notification of an eligible data breach that it believes to have occurred. A failure to notify that is found to constitute a serious interference with privacy under the Privacy Act 1988 (Cth) can be penalised with a fine of up to $A360,000 for individuals and $A1.8 million for companies.
According PricewaterhouseCoopers (Australia), “The new laws present companies with an opportunity to engage with their customers on privacy protection and to build/maintain trust in an increasingly digital world. This is an ideal time to review how your company manages its information (and manages itself) to take stock of its information assets, its data protection measures (including response activities) and to ensure it minimises the risk of a breach in the first place.”
PWC’s detailed analysis of the new laws is available HERE
Australian Privacy and Information Commissioner, Timothy Pilgrim, said, “My office will be working closely with agencies and businesses to help prepare for the scheme’s commencement. This will include providing additional guidance over the next 12 months, and events hosted through the OAIC’s Privacy Professionals Network.
In the meantime, agencies and businesses should continue to take reasonable steps to make sure personal information is held securely – including being equipped with a clear response plan in the event of a data breach.
The OAIC’s Data breach notification — a guide to handling personal information security and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the mandatory notification scheme. The OAIC also has a comprehensive Guide to securing personal information.