On February 22, 2018, Australia’s Privacy Amendment Act 2017 became effective, introducing the Notifiable Data Breaches Scheme (the Scheme). Under the new Scheme, entities with existing personal information security obligations under the Australian Privacy Act are required to notify the Office of Australian Information Commissioner (OAIC) and affected individuals of all “eligible data breaches.” The Scheme is in line with breach notification laws in other jurisdictions and represents a significant boost to privacy governance in Australia, particularly in transparency and accountability.
Entities with existing obligations under the Australian Privacy Act include Australian government agencies, businesses and nonprofit organizations with an annual turnover of more than US$2.3 million (AUS$3 million), private-sector health service providers, and credit reporting bodies and providers. Any of the above entities that are international but have an “Australian link” must also comply. The “Australian link” refers to the act of collecting or holding (having possession or control of) personal information in Australia, whether or not the information belongs to Australian citizens or residents, while carrying on business in Australia or its external territories.
Eligible data breaches
The Scheme only applies to data breaches involving personal information that are likely to result in “serious harm” to any individual affected. These are referred to as “eligible data breaches”. There are a few exceptions, which may mean notification is not required for certain eligible data breaches.
By only requiring that breaches be reported if they are likely to result in “serious harm” to any of the affected individuals, the Scheme seems to introduce a reasonable risk-of-harm standard that discourages over-notification. A breach need only result in notification if (1) there is unauthorized access to or unauthorized disclosure of personal information, or a loss of personal information, held by an entity; (2) which is likely to result in serious harm to one or more individuals; and (3) the entity has not been able to prevent the likelihood of serious harm with remedial action.
Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position. Unless the entity already has reasonable grounds to believe it has experienced a data breach that it must report, it must undertake a reasonable and expeditious assessment to determine whether it must report the breach. This assessment must be completed within 30 calendar days of the entity becoming aware of the possible breach, but, ideally, sooner. Companies may develop their own reasonable processes to perform this assessment. The OAIC offers advice and guidance on the assessment and other operational aspects of the Scheme.