Co-authored by Amy Le Ray, Law Clerk
The Privacy Act 1988 regulates how personal information is managed with 13 Australian Privacy Principles, APPs, underpinning how Privacy Act regulated organisations manage personal information, including keeping it secure.
Guidelines for these APPs are issued by the Office of the Australian Information Commissioner and set out the mandatory requirements organisations need to comply with in order to fulfil their obligations under the Privacy Act.
The APP guidelines set out that reasonable steps are required of an organisation to ensure the security of personal information with APP11 requiring organisations to take active measures to protect personal information from:
- interference and loss
- unauthorised access
Non-compliance with the APPs can lead to action being taken by the OAIC against organisations for breaches of the Act which can result in financial penalties being imposed.
Currently the Privacy Act and the APP guidelines do not provide for the mandatory reporting of a data breach, either to the Office of Australian Information Commissioner or to the affected person/s. And while the OAIC encourages notification of a data breach “as part of good privacy practice,” it is not a mandatory obligation.
Therefore, currently there is no compliance requirement to notify the OAIC or potentially affected individuals if there is a breach or suspected data breach.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 amends the Privacy Act 1988 to introduce mandatory data breach notification provisions in the event of actual or possible disclosure or access to an individual’s personal information. The Bill’s provisions warrant detailed analysis, but it is worth noting in short, that an important criterion for the reporting the requirement is that serious harm is likely to result from the breach.
There would appear to be potential for a good many complications to accompany the practical application of this principle and the passage of the Bill should therefore be on the watch list for many potentially affected organisations.
The information published in this paper is of a general nature and should not be construed as legal advice. Whilst we aim to provide timely, relevant and accurate information, the law may change and circumstances may differ. You should not therefore act in reliance on it without first obtaining specific legal advice.