What is a data breach and what do you need to do to comply?
You’ve heard about the new data breach reporting regime, but what exactly is it and what do you need to do to comply?
Effective 22 February 2018, if your business is caught by the Privacy Act, you must report a ‘notifiable data breach’ to the Office of the Australian Information Commissioner (OAIC) and affected individuals.
What is a notifiable data breach?
Put simply, if you breach the privacy laws and this results in unauthorised access to or disclosure of information, or information being lost in circumstances where this is likely to occur, the breach will be notifiable if it is reasonably likely to result in ‘serious harm’ to an affected individual.
So if a privacy breach occurs, you need to identify affected individuals and assess whether they are likely to suffer serious harm. This would include consequences such as identity theft or serious physical, emotional, financial or reputational harm.
Importantly:
- The likelihood of serious harm must be assessed on a case by case basis.
- Certain types of information are more likely than others to cause serious harm, e.g. sensitive information such as medical or health information, or information commonly used for identity theft such as Medicare, drivers licence or passport information.
- Access to or disclosure of a combination of different types of information (as opposed to a single piece of information) may be more likely to result in serious harm.
But there is some good news – if you take immediate action in response to a breach and prevent the serious harm you have contemplated, the breach will cease to be notifiable. So it pays to act promptly to identify and manage a breach!
When do I need to report?
Once you’ve identified a privacy breach, you have 30 days to investigate it and assess whether it is notifiable (which you’ll remember = likely to cause serious harm to an affected individual).
If notifiable – you must report the breach to the OAIC as soon as practicable (in other words … promptly!) and to affected individuals promptly after that.
The OAIC will be publishing an online form and Word template for OAIC notifications (they are currently in draft form). Take care when completing these and get help from a lawyer or compliance consultant if you need it.
There are various ways you can notify affected individuals. Their availability depends on whether you can determine which particular individuals are likely to suffer the serious harm you have identified.
If not notifiable – you don’t need to report a breach. Instead, deal with it in accordance with your standard Breach Management Procedures.
What do I need to do to get ready?
A few simple steps will get you well on your way toward compliance with the new regime:
- Update your Privacy Procedures – privacy breaches must be identified and reported to your Privacy Officer promptly.
- Implement a Data Breach Response Plan – document the action you will take in response to a privacy breach and the timeframes that apply to this.
- Train staff on your new procedures.
- Review your commercial contracts – they should:
- Specify who is responsible for assessing and reporting privacy breaches – if there are two parties involved in a breach only one needs to make the assessment and report. But, if neither does you could both be liable!
- If they relate to service providers – require the provider to notify you of privacy breaches immediately and cooperate with your investigation and remediation. If a breach relates to your clients, it’s better that they and the OAIC hear about it from you!
A final word of advice – get started now. Implementing a new process always takes longer than you think!
By Lesley Hambusch