Notifiable Data Breaches
In February, the Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into full force. One of the key points of this amendment is that all entities covered by the Australian Privacy Principles (APPs) (ie have a turnover of more than $3m) must notify the Office of the Australian Information Commissioner and any potentially affected individuals of an "eligible data breach".
- a data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, leaving the information on the bus);
- an eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure;
- serious harm, while undefined, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation; and
- serious harm will be likely if such harm is "more probable than not" having regard to a list of relevant matters to be included in Part IIIC. The matters include the sensitivity of the information, any security measures taken (such as encryption) and how easily those security measures could be overcome (for example, if the encryption key has also been accessed).
Entities that simply suspect that an eligible data breach has occurred simply need to complete a "reasonable and expeditious" assessment into the relevant circumstances within 30 days. If this suspicion is confirmed, then a notification to the OAIC must be made using a prescribed format, and a statement to affected individuals must be made using any normal communications method. There are exceptions to this notification requirement, including if the entity has taken remedial action before any serious harm caused by the data breach has occurred.
Causeis takes client data security very seriously. We have strict policies in relation to how staff handle offline versions of client data. We advise all clients to ensure they are ready for the changes by confirming that all policies and procedures relating to data handling have been updated and staff are aware of their responsibilities so that private information does not get left on the bus! Do you know where your backups are?
EU General Data Protection Regulation (GDPR)
Another major change is the introduction of the GDPR in May. This has ramifications for any clients that hold any personal information about any EU citizen. Even though your company is not located in the European Union, GDPR also applies to the processors and controllers outside the EU where it:
- offers goods or services to individuals inside the EU, even if no payment is required or
- monitors the behaviour of individuals within the EU – especially if you perform analysis or profiling of that activity for predictive purposes.
The GDPR and the Australian Privacy Act share many similar goals – like privacy by design and transparency, however there are key differences that your organisation should be aware of if you meet either criteria above, such as a requirement to appoint a data protection office and an individuals right to be forgotten and to data portability. There are also strict requirements regarding the transfer of personal data outside the EU. If your organisation meets or suspects that you meet either of these requirements, it is vital that you seek advice on implementing the GDPR. For more information about the GDPR please refer to https://www.eugdpr.org/gdpr-faqs.html
For more information refer to the Office of the Australian Information Commissioner via https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme