New data notification laws commenced in February. Under the notifiable data breaches (NDB) scheme businesses need to formally investigate suspected data breaches of personal information. Data breaches that are likely to result in serious harm must be reported to the Office of the Australian Information Commissioner and to those individuals impacted.
The Privacy Act – a duty to protect and secure information
If you have a turnover greater than $3 million, the Privacy Act 1988 and Australian Privacy Principles (APP) regulate the way your business handles personal information.
These laws broadly require businesses to secure any personal information they hold and take reasonable steps to protect this information from misuse, interference, loss and unauthorised access, modification or disclosure.
Some common examples of personal information include an individual’s name, address, phone number, date of birth, email address, photograph or video recording of a person, bank account details, tax file number, signature, and commentary or opinion about an individual.
Many HIA members will obtain and secure personal information from their clients, potential customers, employees and contractors.
The new data notification laws
The notifiable data breaches scheme adds to the existing privacy obligations.
Under the new laws, as soon as practicable after you become ‘aware that there are reasonable grounds to believe’ there has been an eligible data breach you must notify these parties:
• the Information Commissioner
• affected individuals (or publish a statement).
There are some exceptions, including taking sufficient remedial action that the data breach is not likely to result in serious harm.
The new data notification laws will apply to businesses with a turnover greater than $3 million. The laws apply to small businesses only in relation to a data breach involving tax file numbers.
There may be penalties for non-compliance, including compensation for damages and monetary fines.
What is a notifiable data breach?
An eligible data breach will happen if:
• there is unauthorised access, unauthorised disclosure, or loss of personal information held by an entity, and
• the access, disclosure or loss is likely to result in ‘serious harm’ to the individual to whom the information relates.
Online hacks, email ‘phishing’ and data ransomware present common data breach risks. However other examples include:
• lost or stolen electronic devices containing personal information (such as a laptop, USB or mobile phone)
• paper records stolen from insecure recycling or garbage bins
• accidentally providing personal information to the wrong person
• unauthorised access to payroll information or personal information of employees.