What if I'm not sure if an eligible breach has occurred?
If an entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity then the entity must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity and take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware.
In essence, if you believe a data breach has occurred then you must undertake an investigation to determine if the breach must be reported or not. Your investigation must be completed within 30 days after you become aware.
Are there any exceptions to the requirement to notify?
Yes. Following a data breach, where an entity has taken remedial actions and steps to address any potential harm to individuals that may arise due to the data breach, before any serious harm is caused to individuals to whom the information relates, the mandatory notification obligations will not apply. The key test is whether or not a reasonable person would conclude, as a result of the actions taken, that the access or disclosure or loss of information would not be likely to result in serious harm to any of the individuals to whom the personal information relates.
This exemption demonstrates the value of early detection of data breaches and well thought out actions. The ability of an organisation to detect a data breach and take action in respect of reducing any potential damage to individuals whose personal information has been disclosed or lost, will play an important part in mitigating the potential damage that such an incident can cause.
Other exemptions are also listed in the Act.
Are there any penalties if I don't comply?
Yes. Failure to comply with the new regulations will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act. This will engage the Commissioner’s existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. This includes the capacity to undertake Commissioner initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interference with privacy. Serious or repeated interference with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.
What should I do?
Organisations and businesses subject to the Privacy Act should now take steps to ensure that their processes and procedures will enable them to meet the new obligations when they come into effect in February 2018.