You’ve heard about the new data breach reporting regime, but what exactly is it and what do you need to do to comply?
Effective 22 February 2018, if your business is caught by the Privacy Act, you must report a ‘notifiable data breach’ to the Office of the Australian Information Commissioner (OAIC) and affected individuals.
What is a notifiable data breach?
Put simply, if you breach the privacy laws and this results in unauthorised access to or disclosure of information, or information being lost in circumstances where this is likely to occur, the breach will be notifiable if it is reasonably likely to result in ‘serious harm’ to an affected individual.
So if a privacy breach occurs, you need to identify affected individuals and assess whether they are likely to suffer serious harm. This would include consequences such as identity theft or serious physical, emotional, financial or reputational harm.
But there is some good news – if you take immediate action in response to a breach and prevent the serious harm you have contemplated, the breach will cease to be notifiable. So it pays to act promptly to identify and manage a breach!
When do I need to report?
Once you’ve identified a privacy breach, you have 30 days to investigate it and assess whether it is notifiable (which you’ll remember = likely to cause serious harm to an affected individual).
If notifiable – you must report the breach to the OAIC as soon as practicable (in other words … promptly!) and to affected individuals promptly after that.
The OAIC will be publishing an online form and Word template for OAIC notifications (they are currently in draft form). Take care when completing these and get help from a lawyer or compliance consultant if you need it.
There are various ways you can notify affected individuals. Their availability depends on whether you can determine which particular individuals are likely to suffer the serious harm you have identified.
If not notifiable – you don’t need to report a breach. Instead, deal with it in accordance with your standard Breach Management Procedures.
What do I need to do to get ready?
A few simple steps will get you well on your way toward compliance with the new regime:
A final word of advice – get started now. Implementing a new process always takes longer than you think!
The Fold’s privacy resources contain all the tools and templates you need to facilitate compliance with the new requirements.
Author: Lesley Hambusch