Australia has passed legislation to introduce a mandatory data breach notification regime. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed on 13 February 2017, and is expected to come into force in early 2018 (12 months after Royal Assent). Up to this point there has been no statutory requirement in Australia to notify individuals or regulators of data breach incidents.
The notification regime will apply to all entities that are subject to Australia’s Privacy Act 1988 (Cth). This generally covers all Australian registered companies and government agencies – and also overseas entities carrying on business in Australia (even without a physical presence in Australia) – with an annual turnover of $AUD 3 million or more. In addition, entities that handle particular types of information (for example private health information, credit providers, credit reporting bodies and holders of Australian tax file information) may be subject to the Privacy Act regardless of turnover. Entities subject to the Privacy Act are, among other things, bound to comply with 13 ‘Australian Privacy Principles’ that regulate the manner in which personal information may be collected, held and managed.
Under the new regime entities must assess whether an ‘eligible data breach’ has occurred and, if so, notify affected individuals and the Australian Privacy Commissioner as soon as practicable. An eligible data breach is one that is likely to result in serious harm to individuals to whom the personal information relates. This is assessed objectively and by reference to the particular circumstances of the breach.
Notably, an entity may take remedial action to address any potential harm to individuals of a data breach. If this is done before any serious harm occurs, then the incident may not qualify as an eligible data breach and notification may not be required.
Failure to comply with the notification regime will attract prescribed penalties.
Entities that are subject to the new notification regime are advised to be well prepared, both in terms of preventative measures and data breach response plans.
If you would like further information or have any questions about how the new mandatory data breach notification regime – and/or Australia’s privacy laws in general – may impact your clients, please contact us.
This is for general information only and formal legal advice should be sought on matters of interest arising from this article.