Contributed by Brian Hay, Cultural Cyber Security
What does this mean?
That from 23 February 2018 you are obliged by law to report to the Office of the Australian Information Commissioner and any potentially affected individuals of an “eligible data breach”.
Who does this effect?
Generally, if your organisation generates a revenue of more than $3M per annum you’re liable to comply with the legislation and you classify as an “APP Entity”.
The mandatory data breach notification scheme being introduced will require APP Entities to notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an “eligible data breach” as “soon as practicable” when there are “reasonable grounds” to believe such a breach has occurred.
What constitutes a data breach?
When there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, deliberate or accidental (Eg: a USB or document left in a taxi).
An eligible data breach will arise where a reasonable person would conclude there is a likely risk of “serious harm” to any of the affected individuals as a result of the disclosure.
Serious harm is likely to include physical, psychological, emotional, economic, financial, and even reputational harm. It’s important to remember this is the “reasonable person” test.
How to notify?
To notify there are at least two steps. First you must prepare a statement containing certain prescribed information about the data breach and provide it to the OAIC. The APP Entity must then take steps to notify the affected individuals.
However, if you only reasonably suspect that an eligible data breach has occurred, the notification obligation will not arise, but you will be required by law to complete a “reasonable and expeditious” assessment into the relevant circumstances within 30 days.
Wilful blindness will not allow APP Entities to avoid the requirements of the Privacy Act.
Exceptions to the data breach notification requirement
There are exemptions and perhaps the most interesting exception is that a notification will not need to be given if the APP Entity takes remedial action before any serious harm is caused by the breach.
An example of this would be using encryption with strong passwords or remote wiping capabilities. The data may be lost but not be able to be read, thus no harm can be rendered.
The value of a strong security posture, early detection abilities and established response procedures will greatly assist a company to protect itself.
APP Entities may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties.
What should you do?
It is important to:
- audit your current information security processes and procedures; and
- prepare a data breach response plan to assist immediate response processes.
The OAIC provides a guiding checklist to assist APP’s. See this checklist here.
In preparation for this is it vital you take the necessary steps to ensure you have practices and procedures in place in order to comply with these legislative obligations.
For any further information or assistance please contact Brian Hay at firstname.lastname@example.org or your Hall Chadwick Melbourne Director.
Hall Chadwick Melbourne is pleased to refer clients to providers of specialist services like Brian Hay at Cultural Cyber Security.