On February 22nd , 2018, Australia’s new Mandatory Data Breach Notification Laws come into effect, mandating a legal requirement to disclose information on any serious data breach, both to the affected individuals as well as to the Privacy Commissioner. The current penalties for non-compliance under this regulation range from $360K for an individual to $1.8M for a corporation, but it has been proposed to raise these amounts to $420K and $2.1M respectively, effective July 1, 2017.
Businesses that must comply include any organizations that are governed by the Privacy Act, including:
And additionally, it applies to specific types of businesses with a turnover of less than $3M, which include:
Individuals who handle personal information in their course of doing business (including insurance brokers, bankers, accountants, attorneys, health insurance providers)
After the laws come into effect, you will be required to report any relevant data breaches to the Australian Privacy and Information Commissioner. You must also notify any individual whose private information may have been compromised.Not all data breaches, however, will require notification. There must be a reasonable expectation on your part that the data in question has been lost, accessed, or disclosed unlawfully and without authorization, and that this would potentially result in harm to the individual or individuals in question.Harm, in this sense, can mean a variety of things. It could be psychological or emotional in nature, in the sense that personal information is exposed that reveals something the person did not want to be known, such as a serious disease, or other personal health details. The harm caused could be financial or professional in nature, such as the disclosure of previous criminal records or activity, political information, personnel files from a previous employer, or anything that may harm the person’s ability to conduct business or obtain a job. If any harm is perceived as being the outcome of the breach, it may be considered an offence.To determine whether a breach is eligible under the Act, refer to Part IIIC of the Act, which outlines the various breaches as well as the notification process. This section of the law will help you to pinpoint whether the breach is likely to result in serious harm under the terms of the law and whether it is necessary to report it. Things like personal medical and credit card information should rank high on your radar, as there is no question that a breach of this type of information could potentially cause significant harm.If a breach occurs, you have 30 days to make a full assessment of the potential for harm. Following that, and if it is found that a breach has occurred, you must submit your report to the commissioner and to each individual in question as expeditiously as possible.In your report, you must disclose what happened (a detailed description of the breach), the type of information that was compromised, accessed or lost, and what the individual in question can do to respond to the incident, which might include prompting them to change passwords on their accounts or backing up information stored on the server.Fines will be levied for breaches considered to be serious or to repeat offenders by the Federal Circuit Court of Australia following a recommendation by the Privacy Commissioner.
If you have any concerns about your company’s IT security policies and would like to update your data protection protocols, or if you have questions about whether Australia’s Mandatory Data Breach Notification Laws apply to your business, call Greenlight-ITC today. We are Melbourne and Sydney’s business IT headquarters, helping your company stay secure and compliant every step of the way.