The Privacy Amendment (Notifiable Data Breaches) Act 2016 commences operation on 22 February, 2018
This means that companies that hold personal information – which can be client lists, personal information and data associated with clients or customers must notify affected individuals, as well as the Office of the Australian Information Commissioner, if they become aware that there are reasonable grounds to believe that an ‘Eligible Data Breach‘ has occurred.
Failure to notify will expose corporations to a maximum fine of $2.1 million
Companies that have reasonable grounds to suspect that an eligible data breach has occurred will be required to carry out an assessment of the suspected data breach within 30 days of becoming aware of the suspected data breach; and will be required to notify the Commissioner and affected individuals where the organisation has, or suspects there are, reasonable grounds to suspect that an ‘eligible data breach’ has in fact occurred.
There is an Eligible Data Breach when there has been unauthorised access to, or disclosure of, personal information and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the access or disclosure; or personal information is lost in circumstances that are likely to give rise to unauthorised access to, or disclosure of, the information and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals.
In determining whether access to or disclosure of information would reasonably be likely to result in serious harm, various matters are taken into account, including:
- the kind or kinds, and sensitivity, of the information
- whether the information is protected by one or more security measures, and the likelihood that those measures could be overcome
- the person or the kinds of persons who have obtained or could obtain the information
- the likelihood that any persons who could obtain information that has been secured by making it unintelligible or meaningless to unauthorised persons may also have the means to circumvent that security, and
- the nature of the harm.
What should you do.
All companies should have in place a data breach response plan. This is a framework which sets out the roles and responsibilities for managing an appropriate response to a data breach as well as describing the steps to be taken by a company in managing a breach if one occurs. This includes:
- the actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the response team
- the members of your data breach response team (response team)
- the actions the response team is expected to take.
If you do not have a data breach response plan and need some assistance in developing one, please contact us and we can certainly assist you with developing and implementing a plan suitable for your business.