Privacy Law Update: Mandatory Data Breach Notifications to come into force by the end of 2017
March 2017 | Article | Mary Sheargold
The responsibilities placed on organisations, including charities and not for profits, to protect personal information continues to be a point of sharp focus for the Government, the Australian Charities and Not-for-profits Commission (ACNC) and the community.
Two recent developments are noteworthy in this area. First, the ACNC released new guidance regarding the way charities and not-for-profit organisations handle personal information received from donors and the general public in the course of their work. Secondly, new laws making it mandatory for organisations to report data breaches have been enacted and will come into effect sometime before the end of 2017.
We flagged the prospect of the Federal Government amending the Privacy Act 1988 (Cth) (Privacy Act) to introduce the new laws in November last year, when we talked about the implications of a data breach at Red Cross Australia and the likely introduction of mandatory obligations of organisations in a situation similar to them to report data breaches to the Australian Information Commissioner (AIC) (previously known as the Privacy Commissioner).
The changes mean that any organisation bound by the Australian Privacy Principles - that is, a federal government agency, or any organisation with an annual turnover in excess of $3 million (APP entity) - will be required to notify the AIC and comply with the requirements for reporting within 30 days of becoming aware of a suspected data breach.
The breach notification must include:
(a) a description of the data breach that the organisation believes has occurred;
(b) details of the kinds of information that were disclosed as part of the breach (for example, names, phone numbers or email addresses); and
(c) recommendations about the steps that should be taken in response to the data breach.
Further, if an organisation has reason to believe that is it not the only organisation affected by the breach, then the report must also advise the AIC of the identity and contact details for the other organisations affected.
The new laws will also oblige organisations to provide a copy of the statement it provided to the AIC to all individuals it believes may have been affected by the data breach.
Failure to comply with the obligations may result in significant penalties under the Privacy Act. These include fines of up to $360,000 for individuals and up to $1.8 million for organisations.
Our tips for getting your organisation ready are:
First, know whether your organisation is an APP entity.
Second, review your policies and procedures. We suggest you do so in conjunction with the ACNC’s new guidelines which encourage all charity and not-for-profit organisations to endeavour to comply with obligations provided in the Australian Privacy Principles. As part of this, you should also consider what procedures you have that would help you prevent and identify a potential or actual data breach.
Third, are your policies and procedures known and followed by personnel? What practices could you introduce to help ensure you meet all your obligations under our privacy laws? What may you need to change to ensure you can comply with requirement to notify the AIC on becoming aware of a potential or actual data breach within 30 days?
The ACNC guidance is available from their website.
We can assist you navigate this new landscape. Please contact us if you would like to have a privacy health check for your organisation, or if you have any questions regarding this new mandatory reporting regime.