Lawcovernotes March 2017

It amends the Privacy Act 1988 to include mandatory reporting of data breaches. These changes will apply to: ^ ^ Australian government agencies ^ ^ Private sector enterprises with a turnover of more than $3m ^ ^ Health service providers and holders of health records ^ ^ Credit reporting bodies The changes, which will take effect over the next 12 months, will require organisations subject to the Act to notify the Information Commissioner and any individuals affected of a data breach that is likely to cause serious harm. What is a breach? According to the amended Act, a breach occurs when there is unauthorised access to, disclosure or loss of personal information held by the organisation, and a reasonable person would conclude that the loss or disclosure would lead to “serious harm” to the affected individual. The factors which might contribute to a reasonable person thinking “serious harm” might have occurred are outlined in section 26WG. They include: ^ ^ The sensitivity of the information ^ ^ Whether the information was encrypted ^ ^ Whether the information was in a secure file ^ ^ How likely it is that the security could be breached ^ ^ The identity of the person who obtained the information, whether they intend to cause harm to the affected person and the nature of the harm The Information Commissioner has, in the past, indicated that loss of personal information which could result in identity theft would be considered “serious harm”. There are exceptions in the legislation for situations where an organisation, on discovering a data breach, has taken remedial action before serious harm has occurred. In that case, the breach is not reportable (see section 26WF). Investigation There may be circumstances where an organisation is unclear whether or not there has been a data breach. An organisation with reasonable grounds for suspecting that there may have been a breach has 30 days to assess whether, in fact, there has been a breach and then take steps to comply with the notification regime. Notification As soon as practicable after becoming aware of a data breach, an organisation must notify affected individuals and the Information Commissioner of the details of the breach and the information compromised, and recommend actions the affected individuals should take in response to eligible data breaches. If your law practice has a turnover of more than $3m per annum or holds health records for clients, you should consider implementing data breach response plans. You might also consider whether your clients might need assistance in preparing their own response plans if they are affected by the legislation. Elissa Baxter General Counsel Company Secretary 3.