In February 2018, amendments to the Privacy Act 1988 saw the introduction of the Notifiable Data Breaches scheme. The Notifiable Data Breaches scheme applies to all organisations that are subject to the Privacy Act and establishes a framework for assessing and responding to data breaches.
Who does the Notifiable Data Breaches scheme apply to?
The scheme is set out in Part IIIC of the Act, and applies to all Australian agencies and organisations (including individuals, bodies corporate, partnerships, trusts and associations). Importantly, the scheme requires an organisation to report any notifiable data breaches to the Information Commissioner, as well as the affected individual.
What is a Notifiable Data Breach?
To summarise, a notifiable data breach will occur when personal information is misused, lost or disclosed without authorisation. Under the Act, a notifiable data breach only occurs when:
- the loss, misuse or unauthorised disclosure of information relates to natural persons; and
- that data breach must be likely to result in serious harm to the relevant individual.
Although the Privacy Act does not define the term “serious harm”, it does provide a number of factors to consider in determining the risk of serious harm. Such considerations include the kind of information, the sensitivity of the information and the persons who have obtained said information. The Explanatory Memorandum offers further guidance.
“Serious harm… could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach. Though individuals may be distressed or otherwise upset at an unauthorised disclosure or loss of their personal information, this would not itself be sufficient to require notification unless a reasonable person in the entity’s position would consider that the likely consequences for those individuals would constitute a form of serious harm.”
What should I do if I have breached the Privacy Act?
A notifiable data breach does not occur if an entity takes remedial action. Remedial action includes the action taken following an otherwise notifiable data breach, to prevent the likelihood of serious harm occurring. For example, remedial action following the loss of personal information will be sufficient if it prevents disclosure or unauthorised access to the lost information. The underlying requirement of the remedial action exemption is that, as a result of the remedial action, a reasonable person would form a view that the misuse would be unlikely to result in serious harm to the individual to which the information related.