The Privacy Amendment (Notifiable Data Breaches) Act (Cth) 2017 came into force today.
All APP Entities are now required to notify affected individuals and the Information Commissioner if they suspect that:
- A data breach has occurred; and
- There is real risk of serious harm as a result of the breach.
The mandatory data breach notification scheme only applies to APP Entities. APP Entities include agencies or organisations with an annual turnover of more than $3 million, private health service providers and some small businesses.
This means that if there is unauthorised access to or disclosure of personal or sensitive information (such as an individual’s name, date of birth, health record, credit history or employment status) and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates, then the APP Entity must notify the affected individual and the Information Commissioner as soon as possible. Not every data breach has to be reported.
Penalties for non-compliance include fines of up to $420,000 for individuals and $2.1 million for businesses.
If you are an APP Entity you should review your privacy policy to make sure that it reflects the mandatory data breach notification requirements. If you suspect a data breach has occurred you should seek legal advice.
This article was written by Karen Keogh,Partner, and Chelsea Gordon, Associate.