Mandatory Data Breach Notification
Helping you understand your obligations in the event of a data breach
The Notifiable Data Breaches scheme mandates that Australian Government agencies and the various organisations with obligations to secure personal information under the Privacy Act 1988 (Cth) (Privacy Act) notify individuals affected by data breaches that are likely to result in serious harm.
Understanding Mandatory Data Breach Notification
By now you’ve probably heard the concerns surrounding the new legislation on data security. It’s called the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Bill) and it has been set up as a notification regime for eligible data breaches in Australia. Under the new law, organisations that determine they have been breached or have lost data will need to report the incident to the Privacy Commissioner and any affected customers as soon as they become aware of the breach.
The changes have attracted controversy as some express their concerns over the compliance burden to business, its wide reaching scope and potential for notification fatigue. But due to the growth of the digital economy and the vast amounts of data being collected and stored by various organisations, the rules aim for entities to become proactive in protecting their data while providing steps to protect individuals whose information has been compromised.
Who does the law apply to?
The new law applies to all government agencies and organisations governed by the Privacy Act. (e.g. Many private sector businesses and not-for-profit organisations with an annual turnover of more than $3 million.) The Privacy Act also extends to some types of businesses with an annual turnover of less than $3 million. This includes business and individuals that:
- Handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records.
- Sell or purchase personal information along with credit reporting bodies;
- Are related to a business that is covered by the Privacy Act;
The act also makes special reference to:
- Private sector health services providers – such as medical practitioners, pharmacists, even alternative medicine practices, gyms and weight loss clinics fall under this category;
- Childcare centres, private schools and private tertiary educational institutions;
When does the law take effect?
This bill was mandated and applied as law from 22nd February 2018.
What happens if I fail to act?
Those that fail to notify face sanctions like public apologies and compensation payments up to of $360,000 for individuals and $1.8 million for organisations. Of course there is also the risk of reputational and associated commercial damage to the business. The good news is the law seeks to protect businesses who are proactive and effective when dealing with data breaches.