The Australian government recently assented to the introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (the Act). The Act requires entities regulated under the Privacy Act 1998 (Cth) to notify affected individuals and the Office of the Australian Information Commissioner of data breaches that are likely to result in serious harm. The Act will commence on a date to be fixed by proclamation or otherwise on 22 February 2018. A full copy of the Act can be found here: Privacy Amendment (Notifiable Data Breaches) Act.
Background to the Act
The mass digitisation of data in recent years means that entities are holding larger amounts of personal information in electronic form. Subsequently, there is an increased risk that a security breach around this information could result in others utilising the information for identity theft and identity fraud. Imposing a notification requirement on entities that suffer breaches will allow individuals whose personal information has been compromised by a breach to take remedial steps to lessen the adverse impact that may occur as a result.
This Act applies to entities, credit reporting bodies, credit providers or file number recipients if they are governed by the Privacy Act 1988 and hold personal information relating to one or more individuals.
Eligible Data Breach
According to the Act, an eligible data breach occurs where there is unauthorised access to or disclosure of information from which a reasonable person would conclude that the breach would be likely to result in serious harm to any of the individuals to whom the information relates.
An eligible data breach includes circumstances where information is lost, and the unauthorised access to or disclosure of information as a result of the loss, would be concluded by a reasonable person as being likely to cause serious harm to the individuals to whom the information relates.
An assertion that serious harm to individuals is likely to occur as a result of a breach, relies on consideration of the following factors:
- the kind and sensitivity of the information;
- whether the information is protected by one or more security measures and the likelihood that these security measures could be overcome;
- the kinds of persons who have obtained, or could obtain, the information; and
- the nature of the harm.
Assessment and Notification of an Eligible Data Breach
When an entity has reasonable grounds to suspect that an eligible data breach has occurred, it must carry out a reasonable and expeditious assessment of whether such a suspicion is justified, within 30 days of becoming aware. Additionally, the entity must, as soon as practicable, prepare a statement for the Information Commissioner which:
- identifies the identity and contact details of the entity;
- describes the eligible data breach which has occurred;
- describes the kind(s) of information concerned; and
- provides recommendations about the steps that individuals should take in response to the breach.
A copy of the statement must also be provided to the individuals concerned and published on the entity’s website.
We will keep you updated of further developments in this space.
For further information on these reforms and how they may affect your business, please contact Tania Zordan, Alison Mackey or Julie Li.
Overview of Whittens
Whittens is an Australian law firm specialising in small and mid-market public company work, in particular for clients listed on the ASX. We are praised for delivering commercially astute, cost effective legal services.
Market leaders in ASX small cap work
Whittens is widely acknowledged as leading the market in small cap ASX company work. Our lawyers have unrivalled transactional experience in the small cap space and a peerless reputation for getting the deal done.
Funds management and licensing expertise
We are experienced in providing advice on the structuring, establishment and promotion of managed funds. Our lawyers have acted on numerous capital raisings for both wholesale funds, listed trusts and managed investments schemes. We are also able to advise on the regulation of financial services generally such as Australian financial services licensing and the marketing and distribution of financial products and services to wholesale and retail clients.
Company secretarial and corporate administration
Many of our clients hire us on retainer to handle all of their legal, company secretarial and corporate governance work. We act for dozens of ASX listed clients and Whittens has a team of experienced lawyers, company secretaries and directors available to assist our clients.
Let us help you.