Corporate & Commercial

Corporate & Commerical

Aug 062018

Just when you thought discovering a data breach within your organisation was already a headache – such as a lost company computer or an employee disclosing unauthorised information – from 22 February 2018 this could become a migraine as you are now obliged to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals. Failure to do this can result in civil penalties.

Want to know more about the structure of this new legislation? Please read on.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 amends the Privacy Act 1988, to include a new mandatory data breach notification scheme in Part IIIC of the Act. These new laws take effect from 22 February 2018.

New obligations

The mandatory Notifiable Data Breaches (NDB) scheme requires organisations and federal agencies subject to the Privacy Act, to report an “eligible data breach” to the OAIC and individuals potentially affected.

The notification involves at least two-steps. First, you must give a statement with prescribed information to the OAIC. Second you must notify the affected individuals. Whilst the actual steps will differ depending on the circumstances, this will usually entail a statement to the individual via normal means of communication.

You must, within 30 days, carry out a prompt and reasonable assessment if you have reasonable grounds to suspect an eligible data breach.

What is an eligible data breach?

An eligible data breach will occur where there has been unauthorised access to or disclosure of personal information, or where a loss of information has occurred where unauthorised access or disclosure is likely. An objective test is applied to determine if a reasonable person would conclude that there is a probable risk of serious harm to any of the individuals affected by the unauthorised access to, or disclosure of personal information. 

What is serious harm?

The definition of serious harm is broadly construed, but will include any serious physical, psychological, emotional, economic or financial harm as well as reputational damage. Serious harm will be considered likely if the harm is determined to be “more probable than not”.

Whilst harm is not defined, the new legislation does provide a non-exhaustive list of factors that should be considered when determining if the breach is likely to result in serious harm. These include but are not limited to:

  • The type and sensitivity of the information;
  • Any security measures that have been taken, and the likelihood that such measures could be overcome;
  • The people who have access to or could obtain the information, and;
  • The nature of the harm.

The first Quarterly Report released

The OAIC have published the first quarterly report of data breach notifications for 2018, receiving 63 data breach notifications in the first six weeks of the NBD programme while only receiving 114 voluntary notifications in the 2016-17 financial year. This increase in reporting will help OAIC better identify areas of improvement in information security. To read more interesting statistics from the first quarterly report or to access the full report, click here.

What should you do?

You should continue to comply with your data security obligations under the Australian Privacy Principles and also follow the recommended steps in the OAIC’s guide to handling personal information security breaches.

You should also review your current security processes and procedures to incorporate your scheme assessment and notification obligations and consider any other systems or processes that may need to be developed to comply with the scheme.

A data response plan should also be developed, including responses to cyber and broader data security breaches. This plan should enable you to respond efficiently and lawfully to an actual or suspected data breach. This plan should be communicated to all staff with training on what to do if they suspect or become aware of a data breach.

For more information on mandatory data breach notification laws contact Peter McNamara today.

Jun 202018

Since 25 May 2018, Australian businesses which distribute goods and services to persons in the EU are now bound by strict data protection laws which are more onerous than Australian Privacy Principles. Under the General Data Protection Regulation (GDPR), personal data can only be processed if there is consent by the individual, or if there […]

May 182017

Franchisors and Parent Companies Feeling Vulnerable to Super Fines The Fair Work Amendment (Protecting Vulnerable Workers) Bill 2017, is designed to protect vulnerable workers from exploitation by employers.  The Bill is expected to pass through the Senate without much trouble. It is the Coalition’s response to the systematic underpayment of workers by franchisees in the […]

Apr 042016

From 12 November 2016 the unfair contracts provisions of the consumer law will be extended to cover standard form contracts involving small businesses. The Treasury Legislation Amendment (Small Business and Unfair Contract Terms) Act 2015 recognises the disparity in bargaining power between small businesses and their larger cousins and extends to them the protections currently […]

Feb 262016

Even where you operate your business through a company, you can, as a director, be personally liable for claims arising out of the company’s activities. The corporate shield has long been split asunder both by judge-made law and a myriad of statutes. So, apart from taking out insurance for obvious risks (such as for personal […]

Nov 102015

Established companies have many legal and commercial weapons at their disposal to protect their position. The financial power of large corporations with established supply agreements can make it almost impossible for newcomers to gain a foothold. Allegations of intellectual property infringement can be levelled at any competitor, regardless of their size. Preliminary discovery is the […]

Oct 162015

Usually, an expert’s determination expressed to be binding and non-appealable is just that – final. However, the New South Wales Court of Appeal declared an expert’s determination not binding because the expert did not follow the contract. The Court remitted the determination to the expert with directions about the proper construction of the contract. Background […]