Part 3 - The Privacy Act 1988 and notifying people of data breaches

Posted on 11 February 2014

In our previous two (2) of three (3) part blog on the amendments to the Privacy Act 1988 (Privacy Act) we focused on the new Australian Privacy Principles (APP), the new credit reporting system and changes businesses will need to implement in order to comply with the Privacy Act by 12 March 2014.

In part three (3) of our blog we focus on the Privacy Amendment (Privacy Alerts) Bill 2013 (the Bill) introduced into federal parliament on 29 May 2013 and, once enacted by Parliament in the last quarter of 2013, will commence on 12 March 2014.

The Bill

The Bill amends the Privacy Act 1988 (the Privacy Act) to introduce mandatory data breach notification provisions for agencies and organisations that are regulated by the Privacy Act. The Bill will require organisations to provide notice to affected persons and the relevant regulator when certain types of personal information are accessed, obtained, used, disclosed, copied, or modified by unauthorised persons.

By requiring organisations to notify those affected by data breaches the Government hopes that individuals whose personal information has been compromised will be able to take immediate steps to lessen the adverse impact that might arise from the breach. For example, an individual affected by a data breach may wish to change passwords or take other steps to protect his or her personal information. In addition, not only must organisations notify relevant affected individuals of data breaches, but the Bill also requires notice to be given to the Australian Information Commissioner (the Commissioner).

Data breaches and personal information

Under the proposed new laws a data breach is defined as unauthorised access to, or disclosure of, personal information or where personal information is lost that could give rise to unauthorised loss or disclosure. A data breach is classed a serious data breach where there is a real risk of serious harm to the individual to whom the information relates as a result of the breach. An example of a data breach is the release of particularly sensitive information such as health records which may not cause serious harm in every circumstance but should be subject to the highest level of privacy protection.
In the event of a serious data breach, an organisation will be required to provide notification to both the Commissioner and the affected individuals as soon as practicable after the organisation has reasonable grounds to believe that there has been a serious data breach. The organisation must include the following in the notice:

  • the identity and contact details of the entity;
  • a description of the serious data breach;
  • the kinds of information concerned;
  • recommendations about the steps that individuals should take in response to the
  • serious data breach; and
  • any other information specified in the regulations.

Notification after a data breach

In circumstances where the Commissioner believes that a serious data breach has occurred
and no notification has been given by the organisation that suffered the breach, the Commissioner may issue a written direction to the entity requiring it to provide notification of the data breach.

Failure to comply with an obligation included in the Bill will be deemed to be interference with the privacy of an individual for the purposes of the Privacy Act and leave organisations liable for civil penalties under the Privacy Act. Where an organisation is guilty of a serious or repeated non compliance with the notification provisions proposed by the Bill civil penalties would be imposed by a Court on application by the Commissioner.

Impact on businesses

Businesses need to review and amend current privacy policies to ensure that they are ready to deal with the new laws when they commence on 12 March 2014. Processes need to be implemented to ensure all staff are fully aware and educated about the new privacy laws so that in the event of a data breach they are able to alert both the Commissioner and the individual affected by the data breach as required by the Privacy Act.

If you would like further information on the amendments to the Privacy Act or have your privacy policies and procedures reviewed to ensure you are compliant with the new laws please contact us.