Published on the 23/02/2017 | Written by Anthony Caruana
After years of prevarication and dithering, Australian parliament passed laws compelling companies to disclose when they suffer a data breach…
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was recently passed by the House of Representatives and Senate. The new law compels companies to notify the Privacy Commissioner when certain data is released through data breaches or accidental disclosure.
The types of data that the new rules apply to are detailed by the Office of the Australian Information Commissioner.
It’s important to note that the new rules only apply to the breaches where personal information is exposed. So, if a hacker breaks through your defences and knocks off your company’s new, top secret invention, there’s no need to tell anyone. But if your customer database is released, you’ll need to let the Privacy Commissioner know within 30 days.
The Australian Greens tried for a last minute amendment to reduce that notification period to three days, but the party was unsuccessful.
Not every organisation is subject to the new laws. This amendment to existing legislation will require government agencies and businesses covered by the Privacy Act to disclose breaches. On the business side, this means companies that turn over more than AU$3million will be subject to the new rules, as well as government agencies and those that handle health data, regardless of turnover.
At one point, the draft legislation included a provision where companies would have had to notify the Privacy Commissioner if they thought a breach may have occurred, but the rules were tightened so that only detected breaches are reported.
Companies that have suffered a breach will need to report the identity of the organisation, a description of the breach, the kind of information concerned, and recommendations to the individual as to steps to take in response to the breach.
The scheme comes into effect over the next year. Although the laws have passed through both Houses of Parliament, it still needs to receive Royal Assent.
Privacy Commissioner Timothy Pilgrim said, “My office will be working closely with agencies and businesses to help prepare for the scheme’s commencement. This will include providing additional guidance over the next 12 months, and events hosted through the OAIC’s Privacy Professionals Network.”
The new law says the civil penalty for serious or repeated interferences with the privacy of an individual will be issued by the Federal Court or Federal Circuit Court of Australia following an application by the Privacy Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of AU$360,000 for individuals and AU$1,800,000 for companies.
Reporting a breach won’t result in a fine, but failing to report a breach that is later disclosed could land a company in hot water.
Businesses have a chance to get ready for the new laws. If you or your business are likely to be subject to these laws, it’s a good time to get your data breach plan in order. Fundamentals include checking that appropriate arrangements are in place with all service providers, putting remediation plans in place, and having a well-rehearsed response plan.