Until now, data breach reporting in Australia has been largely voluntary. While regulated entities have been legally obligated to take reasonable steps to maintain the security of personal information held, there has been no obligation to notify individuals if their personal information is compromised. A lack of awareness of such breaches has hindered individuals from taking preventative action against crimes and identity theft by, for instance, cancelling credit cards or changing passwords. With incidents of identity theft and crime continuing to rise at an alarming rate, and stolen data—including PayPal and credit card account details and bank login credentials—being made available for sale on dark web marketplaces, data breach is now considered to be a widespread issue and seriously impacting individuals, businesses and government agencies.
Finally though, after many years of stops and starts, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) passed the Senate on 13 February 2016 and received assent on 22 February 2018. The reforms amend the Privacy Act 1988 (Cth) (Privacy Act) to impose mandatory data breach notification on Australian Privacy Principle (APP) entities when there has been an eligible data breach. Failure to comply exposes entities to penalties, including fines of $360,000 for individuals and $1.8 million for organisations. We look at the changes the legislation introduces and the implications of these changes for APP entities.
State government organisations, local councils and organisations with an annual turnover of less than $3 million are exempt from the Privacy Act. However, mandatory reporting applies to:
- Australian government agencies
- businesses and not-for-profit organisations with an annual turnover of more than $3 million
- private sector health services providers (including alternative medicine practices, gyms and weight loss clinics, which fall under this category)
- child care centres, private schools and private tertiary education institutions
- businesses that sell or purchase personal information along with credit reporting bodies
- some smaller organisations, such as those that handle health data, and
- individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records.