Mandatory Data Breach Notification
The Privacy Amendment (Notifiable Data Breaches) Act 2016, which was passed by the House of Representatives, amends Australia's Privacy Act 1988 and is due to take effect on February 22, 2018.
Changes to the Australian Privacy Act
This amendment introduces a data breach notification scheme and will require government agencies and businesses covered in the Privacy Act to notify any individuals affected by a data breach that is “likely” to result in “serious harm”.
The Office of the Australian Information Commissioner (OAIC) upon notification of these breaches can determine if further action is required. A failure to notify OAIC, which later is found to constitute a serious interference with privacy under the Privacy Act may result in a fine of up to AU$360,000 for individuals or AU$1.8 million for organisations.
Actions until then
In the meantime, agencies and businesses should continue to take reasonable and cautious steps to make sure personal information is held securely. This may include preparing an action plan if such a breach may occur.
The OAIC’s Notifiable Data Breaches webpage (https://www.oaic.gov.au/ndb) provides more details, including how to keep informed of future consultation events.
If you need assistance, please give Jenkins Legal Services a call on 02 4929 2000 or email firstname.lastname@example.org.