Click here to call us +61 2 9929 0226
Posted 28 November 2017
Amendments to the Privacy Act 1988, introducing a notifiable data breach scheme, commence on 22 February 2018.
As from that date, persons and organisations to whom the privacy laws apply, who experience a notifiable data breach, need to notify the person to whom the data relates and the Privacy Commissioner. Thenotification must set out:
There are potentially large civil penalty orders, but apparently only where failure to notify involves a serious or repeated interference with privacy.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure, e.g. when:
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates. Serious harm is not defined in the Privacy Act. There is some commentary on the Privacy Commissioner’s website, suggesting a reasonably high bar, including:
In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harms that may follow a data breach. It may be helpful for entities assessing the likelihood of harm to consider a number of scenarios that would result in serious harm and the likelihood of each. Examples may include:
Basically, if the privacy laws apply to you and you get hacked or lose a phone or laptop containing personal information, you need to consider whether “serious harm” could result and if so make a notification. Your privacy officer should keep a register of privacy transactions, e.g. requests for access and any issues in this area. On a technical level, you might want to consider a higher level of security for information which could be used for fraudulent transactions or identity theft, e.g. account details and copies of passports.
We have considerable experience with these issues and can assist if you are having difficulties with them.
***The information contained in this article is general information only and not legal advice. The currency, accuracy and completeness of this article (and its contents) should be checked by obtaining independent legal advice before you take any action or otherwise rely upon its contents in any way.