The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) was enacted by Federal Parliament last year to establish a mandatory data breach notification scheme in Australia. The scheme recently commenced on Thursday, 22 February 2018.
The scheme that was introduced requires APP Entities to promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an “eligible data breach”.
APP entities include any organisation (including private sector and not-for-profit organisations) with an annual turnover of more than $3 million. It also includes any small businesses such as accountants or credit providers that:
- provide a health service and hold health information;
- disclose personal information about an individual to anyone else for a benefit, service or advantage;
- provide a benefit, service or advantage to collect personal information about another individual from anyone else;
- are a Commonwealth contracted service provider; or
- are a credit reporting body.
The scheme also applies to international companies (including small businesses) that have an ‘Australian link’. An organisation has an Australian link either because it is incorporated or formed in Australia or where it carries on business in Australia and collects or holds personal information in Australia.
Eligible data breaches arise when:
- personal information held by the entity is lost or subjected to unauthorised access or disclosure (a ‘data breach’);
- the data breach is likely to result in serious harm to individuals to whom the information relates; and
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
Civil penalties of up to $360,000 for individuals and $1.8m for corporations may apply for failure to notify the OAIC under the scheme.
Any clients, including some international clients, with turnover exceeding $3 million or holding personal information as part of their business should be made aware of the implementation of the scheme.
Further information can be found on the OIAC resources page: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme