Since the Federal Government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, the Australian Mandatory Data Breach Notification Regime became enforceable from 23rd February 2018.
The regime requires organisations to comply with the notification requirements if they become aware of any reasonable grounds to believe that there has been an eligible data breach; or if The Information Commissioner directs the organization to do so.
What is an ‘eligible data breach?’
An ‘eligible data breach’ occurs when:
- There is unauthorised access to, or unauthorised disclosure of personal information or a loss of personal information.
- The breach is likely to result in serious harm to one or more of the affected individuals; and
- Prevention of the risk of serious harm through remedial action has been unsuccessful.
- This means that a data breach is deemed to have never occurred where the organisation takes action before there is unauthorized access to, or disclosure of, information which is lost. This means that no unauthorized access or disclosure actually occured; or
- When an organisation takes action before there is serious harm to any individual to whom the information relates, meaning that the access or disclosure would not likely result in serious harm to any of those individuals.
How are data breach’s notified?
Notification of a mandatory data breach occurs in a 3 step process.
Step 1: The organisation must prepare a statement setting out the prescribed details
- The organisation’s identity and contact details, along with the identity and contact details of any other entities should the data breach relate to more than one entity.
- A description of the eligible data breach.
- The kinds of information affected by the data breach.
- Recommendations that the affected individuals should take.
Note: if a statement is prepared at the direction of The Information Commissioner, the statement must also include any other specified information.
Step 2: Provide a copy of the statement to the Information Commissioner
Step 3: Notify individuals whose information is affected by the data breach about the contents of the statement
Reasonable steps must be taken to notify affected individuals about the contents of the prepared statement. This may be done by, but not limited to, using the channels that an organisation ordinarily uses to communicate with those individuals (i.e. email, text message, mail).
If an organisation cannot reasonably notify individuals, it must publish a copy of the statement on its website (if they have one) and take reasonable steps to publicise the contents of the statement.
Exemptions to complying with a data breach notification.
There are a small number of circumstances where organisations may be exempt from complying with the notification obligations:
- Multiple affected entities: Where the data breach affects more than one entity, only one entity needs to comply with the notification obligations, and other affected entities do not need to comply separately.
- Enforcement related activities: Where the CEO reasonably believes that complying with the notification obligations are likely to prejudice any of the body’s enforcement related activities.
- Inconsistency with a secrecy provision: Where complying with the notification obligations is inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information.
- Declaration by the Commissioner: if the Information Commissioner declares that the notification obligations do not apply or are delayed for a specified period of time.
How are suspected data breach’s assessed?
If an organisation has reasonable grounds to suspect an eligible data breach has occurred, it must carry out a reasonable and prompt assessment.
The organisation must then complete the assessment within 30 calendar days after forming the suspicion. The sooner an assessment is undertaken the better, as the risk of serious harm occurring to individuals who may be affected by a data breach will often increase with time.
How can you reduce your risk of a data breech?
Omnisure advises its clients and community to review your current security and privacy policies and ensure that your processes and planned responses to data breaches align with your obligations under the Regime. The implementation of internal training programs to familiarise relevant staff of your organisations to plan for the response to a data breach is recommended.
Cyber insurance is also an important way to protect your business against the costs incurred as a result of a cyber attack and your business’ liability from a data breach. You can read more about cyber insurance, get a quote or review your current policy from one of our expert omnisure brokers here.