Notifying customers of data breaches that could cause serious harm will now be mandatory for entities under the Privacy Act following the enactment of the Privacy Amendment (Notifiable Data Breaches) Bill 2016. The amendments come as a result of record data breaches in 2016 along with some high profile breaches of companies such as Ashley Madison (in 2015) which is reported to have leaked the names and other personal information (including credit card details) of over 30 million people.
The changes to the privacy laws on this issue have been a long time coming. This is the third time the changes have been put before parliament and come as a result of the recommendations of the Australian Law Reform Committee’s report on Australian Privacy Laws from 2008.
The amendments will require organisations covered by the Privacy Act to notify customers where there has been an ‘eligible data breach’. This includes where there is unauthorised access, unauthorised disclosure or loss of personal information that could reasonably cause serious harm to individuals. ‘Harm’ includes physical, emotional, reputational or financial harm.
Notifications of breaches are to be communicated to individuals in the usual way the organisation corresponds with the individual or if that is not practical, notices are to be published on the organisation’s website. Notifications will not be required:
- where the harm as a result of the breach is not reasonably considered to be ‘serious’;
- if an organisation is sure that they have taken effective measures to remediate the harm arising from a data breach before it occurs; or
- where a suspected breach has occurred and following investigation the entity believes that no breach occurred (notification will be required where an investigation finds that there was a breach that could cause serious harm).
A failure to comply with the new laws once they come into effect may result in organisations facing investigation by the Privacy Commissioner, court action, compensation orders or penalties up to $1.8 million.
The legislation provides for a grace period of 12 months before the changes will come into effect, to give those entities affected, time to implement policies and procedures dealing with the changes.
If you have any questions about the changes or would like assistance in reviewing policies and procedures please contact our team today.