The houses of the Parliament in Australia (the Labor as well as the Liberal) came together on February 2017 to pass the new Privacy Amendment (Notifiable Data Breaches) bill.
The cyber breach events have taken a deadly turn in the recent year with each growing in intensity and the resulting number of victims. Not only do the breaches wreck business infrastructures in their wake, but also they have even gone on to affect healthcare groups – sectors that work for the wellbeing of humanity.
The data breach notification law 2016 has been passed after years of hard hurdles and efforts. Truth be told, Australia isn’t the first country that has adopted such a bill or scheme. In fact, the United States has already sanctioned such a legislation in up to 48 states.
Mandatory Data Breach Notification Scheme
The primary purpose of introducing a breach notification law is to empower entities to deal with data breaches more promptly and efficiently. As a result, the victims would be able to take necessary measures in the event of a breach.
Government entities and other organizations that are subject to the Privacy Act or Australia Privacy Principles (APP) – aka APP Entities – come under the new notification act. According to the act, the entities will be liable to notify an “eligible data breach” to the Office of the Australian Information Commissioner (OAIC).
Penalty for the Failure of Notification
The APP entities are required to comply with the new bill as strictly as possible. After all, any failure of an eligible breach would mean an obstruction to the individual’s privacy according to the Privacy Act.
In the event of notification failure, the victim would have all the rights to file a legal complaint against the entity with the OAIC. It would be up to the Commissioner’s assessment of the issue to decide whether to have the entity compensate for the damage or loss, or rectify the loss so it may not repeat the mistake in future.
In case of repeated or continuous failure, an individual would have to pay the fine of up to $360,000, and this can go up to $1 million for an organization.
Who Are Excluded From The Data Breach Notification Bill?
It is also imperative to understand that not all entities are liable to comply with the Data breach notification law in Australia. In fact, there are some exemptions to the bill such as any law enforcement agency wouldn’t be required to notify a breach to the victim if the reporting of the incident may have any kind of impact on any on-going legal (law enforcement) activity.
Amongst many other exemptions, an exceptional case applies when the entity has already taken a counteractive action before the breach would result in a serious harm.
Factors That Validate an “Eligible Data Breach”
When the APP entities have reasonable grounds of an eligible data breach, they would be liable to notify the OAIC and the victims as practicable. Here are some factors that validate an “eligible data breach”
- A data breach may occur when there has been an authorized disclosure of or access to one or more individual’s personal data. A data breach may arise where the individual’s personal data is lost in certain conditions that may likely to lead to a breach.
- An eligible data breach may occur when a sensible individual concludes a probable risk of a serious harm to the victim, as a result of the unauthorized disclosure or access.
- A serious harm may include a harm which is emotional, financial, psychological or physical, etc.
How It Can Help the Victims
If the APP entity has reasonable grounds to conclude an eligible data breach, it would first notify the Commissioner and then the victims. The notification would contain the following details such as information of the entity itself (identity and contact), a complete description of the incident or breach, as well as any countermeasures that the victims should take.
And if it is practicable, the entity may notify the individuals whose personal information has been affected by the breach, or the individual at risk of the resulting “serious” harm. There are a number of measures the entity may take to notify the individual depending on the situation.
The APP entities have been given a period of 12 months to assess their current security measures, and plan any improvements to those measures or additions that would be in line with the mandatory data breach notification scheme in Australia.
The notification law will be put into effect on February 2018.