By McKays Business and Industry Law team

The Privacy Amendment (Notifiable Data Breaches) Act 2016 comes in to effect on 22 February 2018 and imposes obligations on entities covered by the Privacy Act, to:

be proactive when it comes to ensuring data protection;

have established guidelines for responding to a data breach; and,

take steps to notify affected individuals in the relevant authorities of a data breach.

What is an eligible data breach?
An eligible data breach is:

unauthorised access or disclosure of personal information; or

loss of information that may lead to unauthorised access or disclosure;

and, the unauthorised access to personal information could result in serious harm to the individual to whom the information relates.

What must you do if there is a data breach?
If you have reasonable grounds to believe that a data breach has occurred, you must complete a risk assessment within 30 days of the breach. As part of this assessment, you must:

prepare a statement describing: the breach, the information concerned; recommendations affected individuals should take in response to the breach;

provide the statement to the individuals who are at risk as soon as practicable; and

provide the statement to the Office of the Australian Information Commissioner (the OIAC).

There are exceptions to the notification requirements in certain circumstances.

What happens if I don’t comply?
The OIAC has extensive enforcements powers and failure to comply with the notification requirements can result in penalties of up to $420,000.00 for individuals and up to $2.1 million for corporations.

Further information
Contact McKays to ensure your processes and privacy policies are up to date. They can also work with you to put in place strategies to help prevent an eligible data breach and ensure you will be ready to respond if a data breach occurs.