Based upon new laws that came into effect on 22 February 2018, Australia has introduced a Mandatory Data Breach Scheme. The Mandatory Data Breach Scheme applies to businesses in the event of confidential information being compromised through a data breach in their system.
Some questions to ask yourself if you believe you may need to report a data breach are:
- Has your business been hacked?
- Is it likely there has been unauthorised access to personal information your business holds as a result?
- Could the individuals whose personal information might have been compromised suffer serious harm if their personal information is disclosed?
If the answers to these questions are yes, you may need to report the data breach to the Office of the Australian Information Commissioner (‘OAIC’) and to the individuals affected.
The Mandatory Data Breach Scheme applies to all businesses and not-for-profit organisations that are required to comply with the Australian Privacy Principles, as contained in the Privacy Act 1988 (Cth). Generally, the Australian Privacy Principles apply to all businesses and not-for-profits that are earning revenue of $3 million or more. Some organisations, such as health organisations and organisations in the business of collecting or distributing personal information, will be covered by the Australian Privacy Principles, regardless of their revenue.
When do I need to disclose?
There are thirteen Australian Privacy Principles. Under Australian Privacy Principle 11, organisations are required to take reasonable steps to prevent the misuse of personal information and to protect personal information from unauthorised access, modification or disclosure.
An organisation will be required to notify OAIC in situations where:
- There has been unauthorised access to, or disclosure of, personal information the organisation is holding, or
- The organisation has lost control of personal information the organisation was holding and, as a consequence, unauthorised access to, or disclosure of, the information is likely to occur, and
- If someone were to access or disclose the information, a reasonable person would conclude that the individuals affected would be likely to suffer serious harm.
However, the organisation is not required to disclose the data breach if the organisation takes remedial action with the result that the individuals affected by the data breach are not likely to suffer serious harm, notwithstanding the original breach.
What is serious harm?
The legislation does not define ‘serious harm’. In the Explanatory Memorandum that accompanied the Parliamentary Bill introducing the data breach notification regime, ‘serious harm’ was said to include ‘serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation’. Mere distress would not ordinarily be sufficient enough to be defined as ‘serious harm’.
The legislation is intended to cover a broad scope of the possible kinds of harm a person may suffer, but the harm must, in any event, be ‘serious’.
The legislation does set out a list of factors that must be taken into account in determining whether ‘serious harm’ is likely to occur, including:
- The nature and sensitivity of the information,
- How well protected the information is, and
- Whether the people who have or are likely to obtain the information are likely to use the information to cause harm.
How do I disclose a data breach?
If your organisation does need to disclose a data breach, you will need to provide a statement to the Information Commissioner setting out the details of the data breach. OAIC prefers notification using the online form found on their website.
In most circumstances, you will also be required to notify the individuals affected by the data breach. Details of the information you need to include in your statement, and the link to the form, can be found here.
There are significant penalties if an organisation fails to disclose a data breach when it ought to have done so, meaning you need to take your organisation’s obligations to report seriously.
How Can Sharrock Pitman Legal assist?
Our society is becoming increasingly conscious of the importance of privacy and so it is important that organisations are aware of their legal duties in this area. If you have any queries about the mandatory data breach notification obligations that apply to your organisation, or your organisation’s general obligations under the Australian Privacy Principles, please do not hesitate to contact Mitchell Zadow on 1300 205 506 or alternatively fill in the form below.
The information contained in this article is intended to be of a general nature only and should not be relied upon as legal advice. Any legal matters should be discussed specifically with one of our lawyers.
Liability limited by a scheme approved under Professional Standards Legislation.
For further information contact
Mitchell is the Managing Principal of our law practice.
He is an Accredited Specialist in Commercial Law (accredited by the Law Institute of Victoria). He also deals with areas of Employment Law, Wills & Estate Planning and Probate. For further information, contact Mitchell on his direct line (03) 8561 3318.