The Privacy Act 1988 (Cth) and Australian Privacy Principles apply to Australian Government agencies, businesses (including not-for-profit entities) with an annual turnover of $3 million or more, credit reporting bodies, and smaller entities that trade in personal information or provide health services.
These organisations are required to implement systems for the collection, storage, management and disclosure of your personal information.
Recently, our privacy laws were strengthened by introducing mandatory reporting requirements by businesses when certain ‘eligible data breaches’ occur.
What is an ‘eligible data breach’?
An eligible data breach happens if:
· there is unauthorised access to, disclosure of, or loss of, personal information held by an entity; and
· the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
What is ‘serious harm’
For an eligible data breach to occur, the business must assess whether the affected individual is at risk of serious harm. ‘Serious harm’ is not merely annoyance or inconvenience – it includes physical, psychological, emotional, financial or reputational harm. The business must consider:
· the type of information released;
· the level of sensitivity – information regarding a person’s health, financial status, or documents that could be used for identity fraud will be considered highly sensitive;
· whether the information is protected by a security measure and, if so, the probability that such measures can be overcome;
· the likelihood of the recipient of the personal information using that information to cause harm to the individual;
· whether the information has any meaning to the recipient;
· the type of harm that could occur such as identity theft, threats to a person’s safety, damage to reputation, loss of business or employment opportunities;
· the circumstances of the breach.
How must a business deal with an eligible data breach?
If a breach occurs, the business must notify any affected individual and the Office of the Australian Information Commissioner (OAIC).
If the business suspects a breach has occurred, it must investigate the circumstances of the possible breach within 30 days of becoming aware of it, to determine whether it is an eligible data breach.
Notification must include:
· the entity’s identity;
· details of the data breach – i.e. how the breach occurred;
· the information that is the subject of the breach;
· the recommended actions that individuals should take in response to the breach.
Notification is not required if a business is able to fix the breach quickly so that it is unlikely to result in serious harm.
The form of notification will depend on the circumstances of the breach, and whether it is practicable to identify and notify each affected individual. If it is not practical to provide individual notification, alternate methods may be used such as publishing a statement on a website, advertising in newspapers, online or social media platforms.
Failure to carry out the investigation and notification processes will breach privacy laws and the business may face significant civil penalties.