Ever lost a wallet or USB? Perhaps misplaced an important work file?
The Privacy Act 1988 (Cth) has introduced a new mandatory notification procedure for eligible data breaches; this scheme took effect on 22 February 2018 as part of the Privacy Amendment (Notifiable Data Breaches) Act 2017.
If there is a loss or interference with data, anyone bound by the Australian Privacy Principles will need to notify both the Office of the Australian Information Commissioner (OAIC) and any parties at risk due to this loss or interference. Prior to the amending legislation, notification of a data breach was voluntary for most entities. Now there is no choice and having to notify your clients you have lost their information can be embarrassing (at best) and can permanently damage your reputation and expose you to damages claims.
Protecting your own confidential information and the privacy of the clients is not a matter to be taken lightly.
What is an “eligible data breach”?
An eligible breach occurs when there is either:
- Unauthorised access or disclosure of information; or
- Information is lost and unauthorised access or disclosure of information is likely to occur;
and there is a risk of serious harm to the individuals to whom the information relates.
Where there is a breach, if you can take steps quickly to prevent unauthorised access or disclosure or to prevent any serious harm, you may not be required to notify anyone.
If you are not sure if there is an “eligible” data breach, you must carry out a reasonable and expeditious assessment within 30 days. Otherwise, you must act quickly and notify the OAIC and individuals as soon as practicable after you become aware there has been a breach.
Defining “serious harm”
‘Serious harm’ depends on the circumstances of each breach, and you should consider the sensitivity of the information, the security protections in place around the information, the type of person or people who obtained the information and the potential nature of the harm. Harm could be financial, physical, or psychological.
So what should you be doing?
- Create or update your data breach response plans – make sure that there are internal and external contacts ready to respond quickly when a breach occurs;
- Review your service provider arrangements and what security mechanisms they have in place to protect your data;
- Educate your staff on the changes to the Privacy Act and what they can be doing to mitigate the risk; and
- Review your procedures and controls in relation to storage, retention and security of personal information as this may reduce the risk of “serious harm” occurring.
This is a sponsored article, though all opinions are the author’s own. For more information on paid content, see our sponsored content policy.