This article was first published here on CIO Australia.
In response to the growing privacy concerns around personal data, the Australian Government recently passed the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (the ‘New Data Breach Notification Laws’).
The New Data Breach Notification Laws impose mandatory investigation and notification requirements on various businesses. Importantly, these requirements will apply to most businesses with an annual turnover greater than $3 million, with some limited exceptions. The New Data Breach Notification Laws became law on 22 February 2017 and will come into effect by 22 February 2018.
In short, if your business has IT contracting arrangements that involve disclosure or use of personal information of your employees or customers to suppliers (including overseas-based suppliers), then these new requirements will almost certainly apply to you very soon.
In addition to the penalties that repeated or serious failures to comply with the New Data Breach Notification Laws can bring (up to $360,000 for individuals and $1.8 million for companies), the costs associated with investigating and rectifying data breaches, defending litigation and ultimately reputational damage and lost business, are potentially immense.
With this in mind, we have put together a concise guide on what these new requirements mean and key takeaways on what your business should be thinking about to ensure that it is compliant with the New Data Breach Notification Laws.
‘Eligible data breach’
The New Data Breach Notification Laws centre around the concept of an ‘eligible data breach’. This occurs if:
a) There is unauthorised access to or disclosure of personal information held by an entity; or
b) personal information is lost in circumstances where unauthorised access or disclosure is likely to occur and, assuming such a disclosure did occur, that would be likely to result in serious harm to any of the individuals to whom the information relates.
‘Personal information’ is information or an opinion about an identified individual (regardless of whether it is true or recorded in material form), or an individual who is reasonably identifiable. This includes information such as names, addresses, emails, credit card details, tax file numbers, health information and similar information.
What is required if an ‘eligible data breach’ occurs
The diagram below sets out a summary of how businesses may assess and handle ‘eligible data breaches’ under the New Data Breach Notification Laws.
What this means for your IT supplier arrangements
Any IT contract (such as your supplier contracts) that involves your business disclosing or receiving personal information should be reviewed to ensure that it complies with the New Data Breach Notification Laws. In particular, you should consider the following:
- Do your contracts expressly require the supplier to comply with the provisions of the New Data Breach Notification Laws? Don’t just rely on broad catch-all provisions requiring the supplier to “act in accordance with the Privacy Act 1998 (Cth)”. While the data breach notification provisions are amendments to the Privacy Act, the supplier may be unaware of them.
- Do your contracts give you control over determining whether an ‘eligible data breach’ has occurred? Your supplier should be required to inform you of any ‘data breach’ (a term that should be defined broadly enough to capture both deliberate third-party breaches and inadvertent supplier disclosures). Consider retaining the right to then determine whether the breach is ‘likely to result in serious harm’ to the person to whom the information relates and ultimately whether it constitutes an ‘eligible data breach’.
- Is the supplier contractually obliged to take action to remedy the data breach and mitigate its consequences? The supplier should be required to do this as well as comply with your directions regarding handling data breaches.
- What are the timeframes for dealing with a suspected breach and who should notify? The New Data Breach Notification Laws require an entity that suspects that there may have been an eligible data breach to complete an assessment within 30 days, so time management between you and the supplier must be accommodated. Only one affected entity is required to carry out this assessment, so consideration needs to be made as to who does this and who bears the costs associated.
- Do you retain control over communications with affected third parties? Where both you and your supplier are affected by a data breach, only a single notice by one of you will be required. The potential communications by your supplier to the OAIC or affected individuals will need to be carefully managed and will require consultation with you (and preferably your prior approval).
What businesses should be doing to comply
It is important for your business to ensure compliance with the New Data Breach Notification Laws by implementing internal processes to meet the assessment and notification requirements. This may include training your staff around the new laws.
Make sure that your personnel and systems can quickly detect data breaches. This may involve conducting a Privacy Information Assessment and/or implementing a Data Breach Response Plan (DBRP), and testing these regularly. If you already have a DBRP, you should review and update this plan to ensure it caters for the New Data Breach Notification Laws.
Review your existing supplier contracts and ensure that appropriate amendments are made so that your supplier is aware of and assists with, your requirements for New Data Breach Notification Laws.
Review your template or standard form suite of documents to ensure they cater for the New Data Breach Notification Laws.