Explaining Australia's Mandatory Data Breach Notification Laws
As stated in the Privacy Amendment (Notifiable Data Breaches) Act 2017, from the 23rd of February 2018 all businesses and organisations will be required to report any eligible data breaches to the Australian Information Commissioner and individuals effected.
What is an eligible data breach?
The scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates.
- A device containing customers’ personal information is lost or stolen
- A database containing personal information is hacked
- Personal information is mistakenly provided to the wrong person
How and When Do I Notify?
Where an organisation becomes aware that an eligiable data breach has occurred, they are obligated to notify individuals at likely risk of serious harm and the Commissioner as soon as practicable.
Information that should be provided to both parties:
- The identity and contact details of the organisation
- A description of the data breach
- The kinds of information concerned
- Recommendations about the steps individuals should take in response to the data breach
To ensure that individuals can take remedial steps in the event that their personal information is compromised.
A failure to comply with the notification obligations will fall under the Privacy Act's existing enforcement and civil penalty framework. Accordingly, APP Entities may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties.
How to prepare
- Audit your current information security processes and procedures to ensure they are adequate (prevention will soon be much more palatable than the cure)
- Prepare a data breach response plan so as to enable the APP Entity to respond quickly, efficiently and lawfully to an actual or suspected data breach