Data breaches – is your business prepared?
27 Feb 19
With increased community concern over data protection, one of the biggest risks for an organisation can be a data breach. Community attitudes indicate that privacy protection contributes to a person’s trust in an organisation, according to the Office of the Australian Information and Privacy Commission (OAIC), writes Jack Ding and Ara Daquinag from Salvos Legal.
The community must have confidence that their personal information will be properly protected. If an organisation does not demonstrate a commitment to privacy, there can be perceived to be a breach of trust and those community members will look for alternative suppliers and services. This article provides a brief guide to assist organisations to respond to data breaches effectively.
Eligible data breach
Entities that are regulated under the Australian Privacy Act (Privacy Act 1988 (Cth)) must notify affected individuals and the Australian Information and Privacy Commissioner (‘the Commissionr’) of ‘eligible data breaches’. The entities covered by this are generally, businesses and not-for-profit organisations that have an annual turnover of more than $3 million.
An eligible data breach occurs when:
- There is unauthorised access, disclosure or loss of personal information, and
- This is likely to cause serious harm to the individual to whom the information relates, and
- The entity has not been able to prevent the likely risk of serious harm with remedial action.
Serious harm may include serious physical, psychological, emotional, financial or reputational harm. For example, threats to an individual’s physical safety, identity theft or loss of business or employment opportunities.
Suspected eligible data breach
If an entity only suspects an eligible data breach has occurred, it needs to move quickly to assess whether there are reasonable grounds to believe that there has been an eligible data breach. The faster an entity responds to a data breach, the more likely it will limit the negative consequences.
The entity must take all reasonable steps to ensure that the assessment is completed within 30 days after it becomes aware of the suspected data breach.
Notifying an eligible data breach
Once an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach – the entity must as soon as practical after it becomes aware of the breach:
- Prepare a statement, including a description of the eligible data breach and recommendations about the steps that individuals should take in response to the eligible data breach, and
- Give a copy of the statement to the Commissioner.
Also, the entity must as soon as practical after preparing the statement:
- Option 1 – notify all individuals whose personal information was part of the eligible data breach, or
- Option 2 – notify only those individuals who are at risk of serious harm from the eligible data breach, or
- Option 3 – if neither of the above apply, publish a copy of the statement on its website and take reasonable steps to publicise the contents of the statement.
Commissioner’s direction to notify
If the Commissioner is aware that there are reasonable grounds to believe that there has been an eligible data breach of an entity – the Commissioner can direct an entity to notify the individuals affected, as well as provide a statement to the Commissioner about that data breach.
Before directing an entity to notify, the Commissioner must invite the entity to make a submission to the Commissioner in relation to the direction within a specified period of time.
If your organisation is affected, you may also need to consider whether the data breach triggers other legal reporting requirements. You should seek legal advice and consider whether any obligations are triggered to any of the following bodies:
- Police or law enforcement
- Australian Securities & Investments Commission (ASIC)
- Australian Prudential Regulation Authority (APRA)
- Australian Taxation Office (ATO)
- Australian Cyber Security Centre (ACSC)
- Professional bodies
- Financial services provider
Your organisation can take steps now to facilitate a speedy response and ensure legal obligations are followed once an incident occurs. It is recommended that organisations review and learn from data breach incidents. This can involve:
- Developing a framework with your organisation’s IT team or staff to detect, notify and respond to data breaches;
- Reviewing existing internal policies and/or procedures to identify where and to what extent they need to be updated;
- Update or create new internal policies and/or procedures to assist staff to comply with relevant requirements, including to identify suspected or actual eligible data breaches and take the required steps in relation to the assessment and/or notification of eligible data breaches;
- Provide training and information to relevant staff about updated policies and/or procedures.
Importantly, there is no ‘one size fits all’ solution to responding to data breaches.