By John Vaughan-Williams, Lawyer

As we have previously reported in the Third Dimension, in October 2016 the Federal Parliament introduced the Privacy Amendment (Notifiable Breaches) Bill 2016 (Cth) (Bill). The Bill proposed amendments to the Privacy Act 1988 (Cth) (Privacy Act). These proposals then led to changes in the law, with passing of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Amendment Act) on 13 February 2017.

The changes to the law, contained in the Amendment Act, have just come into effect as of 22 February 2018.

This article will set out the nature of these changes to the privacy law, and what they could mean for your organisation.

Does your organisation need to comply with the Privacy Act?

The changes set out in the Amendment Act only apply the organisations which are subject to the Privacy Act.

Numerous not-for-profits are obliged to comply with the Privacy Act, generally due to them having an annual turnover of more than $3 million (although there are also some other categories under which they may be bound). However, the Office of the Australian Information Commissioner (OAIC) also administers the “opt-in” register. This is a register of businesses and not-for-profits which have chosen to be bound by the Privacy Act, even though they are not required to by law.

Entering onto the register makes the Privacy Act binding on an organisation, just like other organisations which are automatically bound under the provisions of the Privacy Act. Therefore, organisations which are on the opt-in register are also affected by the Amendment Act.

The advantage of being on the opt-in register is that the register is available to the public, and therefore provides a public record of good privacy practice, potentially increasing consumer and member trust. If your organisation is not otherwise bound to comply with the Privacy Act, but is concerned with its public perception with respect to privacy, then you may wish to consider entering onto the register.

What is the effect of the changes to the Privacy Act?

The Amendment Act requires almost all organisations which are subject to the Privacy Act to report what are called “eligible data breaches”.

Generally a data breach occurs when:

• an unauthorised person accesses information, held by an organisation, relating to a third party;
• an organisation discloses information which it holds, regarding a third party, to another person, and such disclosure is unauthorised; or
• information which an organisation holds regarding a third party is lost by the organisation which holds it.

For a not-for-profit, members are the most common type of “third party” about whom it will hold information. However, not-for-profits may also hold information on numerous other types of third parties, including donors, employees and contractors.

Not all data breaches are considered eligible data breaches. Under the Amendment Act, an eligible data breach is a breach of an organisation’s privacy which is likely to cause serious harm. If such a breach has occurred, then the organisation will need to report that breach to the OAIC, as well as any individuals who may be affected by the breach.

How do you identify an eligible data breach?

If an organisation (which is subject to the Privacy Act) has experienced a data breach, then the first step is to identify whether that breach is likely to cause serious harm, and therefore comes under the definition of an “eligible data breach”. If the breach does not fall within the definition, then the new reporting provisions of the Amendment Act will not apply.

The term “serious harm” is not defined in the Privacy Act, and the interpretation of the term is likely to become clearer over time, as the Privacy Act is enforced by the OAIC. In determining whether a breach is likely to cause serious harm (and, therefore, is an eligible breach), the organisation is required to take an objective approach, considering how the breach would be viewed by an unbiased, reasonable person.

Despite the term not being defined, the Amendment Act sets out a list of factors that an organisation must consider in determining the probability of serious harm. These factors include the following:

• the kind, and sensitivity, of the information subject to the breach;
• whether the information is protected by any security features, and whether those features can be easily overcome;
• the kinds of persons who have obtained the information, and whether they are likely to use the information to cause harm;
• how long was the period between when the breach occurred and when the organisation became aware of it; and
• the potential types of harm associated with the breach.

For serious harm to be ‘likely’, the chance of harm must be more probable than not, as opposed to simply being possible. If an organisation reasonably suspects that an eligible data breach has occurred, it is required to conduct an assessment within 30 days of the suspected breach, even if the assessment results in a finding that no breach has occurred. It is recommended that the organisation seeks legal advice if the occurs, particularly as there are exceptions which can apply.

Once an assessment is complete, the organisation should keep records of all findings and decisions that arise as part of the assessment process.

What do you do if you identify an eligible data breach?

As a preliminary point, if an organisation identifies what would have been an eligible data breach, but rectifies the breach before any serious harm has occurred, then the breach will no longer be considered an eligible data breach. Therefore, the first step taken by an organisation should be to attempt to rectify the breach.

Otherwise, upon becoming aware of an eligible data breach, an organisation must make a notification statement to the Commissioner of the OAIC, and inform all individuals who were at risk of serious harm as to the contents of that statement.

The contents of the statement must include, among other things, details of the data breach, the kind of information covered by the breach, and what steps individuals should take to address the breach.

Failing to comply with the notification scheme will be a breach of the Privacy Act, for which the Commissioner of the OAIC may issue monetary penalties.

What do you do if you identify an eligible data breach?

Privacy law is particularly relevant to not-for-profits, which often hold personal and sensitive information about its members, as well as others. Organisations will need to update their internal processes, and have a plan in place for eligible data breaches which may occur in the future, in order to be able to respond quickly.