In light of the increasing risk of security breaches associated with technological advances, the Federal Government introduced the Privacy Amendment (Notifiable Data breaches) Bill 2016 to Parliament in October last year. On 13 February 2017 the Senate passed the Bill and it is expected to come into effect later this year.
The Bill amends the Privacy Act 1988 (Cth) to introduce a long-anticipated mandatory data breach notification scheme.
All ‘APP entities’ that are regulated by the Privacy Act are required to provide notice to the Office of the Australian Information Commissioner and affected individuals of certain data breaches that are likely to result in serious harm.
Who needs to comply?
‘APP Entities’ that are regulated under the Privacy Act must comply. Generally, these entities include:
- all private sector and not-for-profit organisations with an annual turnover of more than A$3 million;
- most Australian and Norfolk Island Government agencies;
- all private health service providers; and
- some small businesses;
- credit reporting bodies and credit providers;
who handle, use, and manage personal information and who are required to keep that information secure under the Privacy Act.
All private health service providers are affected by this.
When do you need to notify?
An ‘eligible’ data breach occurs if (1) there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity; and (2) a reasonable person would conclude that the access, disclosure, or loss is likely to result in serious harm to any of the individuals to whom the information relates.
The Bill’s explanatory memorandum confirms that serious harm could include serious physical, psychological, emotional, economic, reputational, identity theft and financial harm, as well as other forms of serious harm that a reasonable person would identify as a possible outcome of the data breach.
The test for determining whether serious harm has occurred is an objective one and an affected person suffering personal distress on its own would not be considered ‘serious harm.’
We will gain a better understanding of the Privacy Commissioner’s interpretation of “serious harm” as the mandatory breach obligation becomes operational.
The Privacy Commissioner (on its own motion or application) has a public interest power to exempt an entity from the obligation to formally notify the Commissioner or affected individuals or to specify a date by which affected individuals are to be notified.
How do you notify?
If there is an eligible data breach the organisation must carry out an investigation within 30 days. The Privacy Commissioner and all affected individuals must be informed of the eligible data breach as soon as reasonably practicable. In notifying, the APP entity must advise:
- its identity and contact details;
- a description of the eligible data breach believed to have occurred;
- the kind of information which has been disclosed;
- recommendations as to the steps that the affected individual should take in response to the data breach.
If an APP entity fails to comply with the notification requirements, the Commissioner may conduct investigations, make determinations, seek enforceable undertakings, order compensation and /or impose significant fines on organisations and individuals.
Are you covered?
Subject to the terms and conditions of the medical indemnity insurance policy, MIGA provides cover to doctors, midwives and corporate health practices for legal liability arising from a privacy breach. It also provides cover for legal expenses associated with a complaint, investigation or proceeding by the OAIC in connection with any matter relating to privacy or confidentiality pursuant to the Privacy Act. Intentional or reckless acts giving rise to a breach are not covered under the relevant policies.
If you have a query about how to treat a privacy breach, please contact the Claims & Legal Services Department for further advice.