Loss, unauthorised access and disclosure amounting to serious harm.
On 22 February 2018, a new Notifiable Data Breaches scheme came into force because of the Privacy Amendment (Notifiable Data Breaches) Act 2017. The scheme applies to all entities with an annual turnover of $3 million plus and are currently subject to the Privacy Act 1988 regarding retaining and securing personal information.
The scheme applies to personal information breaches “that are likely to result in serious harm to any individual affected”. If an eligible data breach is likely or has occurred, the relevant organisation must notify the individual/s of the risk of serious harm, and notify the Information Commissioner. Businesses affected by the scheme must have procedures and checklists to quickly identify and assess any instances of a possible data breach, and assess whether such data breaches are likely to cause serious harm to the individual/s concerned.
The Office of the Australian Information Commissioner’s (OAIC) website gives examples of ‘loss, unauthorised access and disclosure of personal information’, but states that these terms are not defined in the Privacy Act and explains them as follows.
Loss can include a laptop without a password or personal information on the device not being encrypted and is left on a train or bus.
Unauthorised Access can be an employee or an external party hacking a business’s system to access personal information.
Unauthorised Disclosure can be intentional or unintentional providing or publishing personal information outside the entity. This can include a lack of password protecting a webpage or the mechanism failing.
Businesses must determine whether the data breach is ‘eligible’ and likely seriously harm the individual/s concerned. The ‘reasonable person’ test is applied (from the business’s perspective and not the individual whose data is breached) to gauge the likely risk of ‘serious harm’. Again, this term is not defined in the Privacy Act, but is stated to be in the context of a data breach as “serious harm to the individual may include serious physical, psychological, emotional, financial, or reputation harm”. Examples of where the Commissioner must be notified is available here.
Ultimately, affected businesses must ensure they are complying with the Privacy Amendment Act in securing and protecting personal information, and ensure its procedures can identify any instances of ‘eligible data breaches’.
At Worrells, we continue to have the strongest measures to protect all individual’s in the course of our business. Any personal information held is restricted to authorised individuals within Worrells, and only relevant information is published to our website for relevant stakeholders, which is only accessible by password.