All about Australian Privacy Laws (and Notifiable Data Breach Scheme)

If you have undertaken the Compliance Questionnaire, you may be wondering what further steps you can undertake to ensure your compliance and improve your cyber resilience.

As an Australian organisation, not only you will need to comply with the Privacy Act 1988, you may also need to comply with the Notifiable Data Breach Scheme.

The following organisations and their resources are great as first steps to understand various Australian privacy regulations and your obligation as a business:

Australian Privacy Principles (“13APPs”)

The Australian Privacy Principles are embedded within the privacy protection framework in the Privacy Act 1988 which govern your business’ obligations in handling personal information:

  • collection, use, and disclosure of personal information
  • your business or organisation’s accountability and governance surrounding data safeguarding
  • integrity and correction of personal information
  • rights of individuals to access their personal information

Failure to adhere to the above Principles will amount to an “interference with the privacy of an individual“, leading to regulatory action and penalties. Fines could range from $2.1 million to $10 million, or three times the value of any benefit obtained from such misuse of information, and/or 10% of a company’s annual domestic turnover.

The Privacy Commissioner can provide compensation reward for individuals ranging from $1,000 to $20,000 for non-economic loss for each privacy breach. Additionally, they can also apply for an order to the court requiring a non-complying entity to be fined. The fine can range from $525,000 to $2.1 million for a body corporate and $105,000 to $420,000 for any other entity.

Notifiable Data Breach (“NDB”) Scheme

Under this scheme, your organisation or business will be required to notify affected individuals should a breach occur. In particular, if this breach will most likely result in serious harm to individuals whose personal information is involved.

Personal information under the Privacy Act includes photographs, internet protocol (IP) addresses, voice print and facial recognition biometrics, mobile device location information and sensitive information.

Data breach‘ has occured and will be required for reporting under the following three circumstances:

  1. When there has been an unauthorised access to or unauthorised disclosure of personal information, or a loss of information resulting to an individual becoming ‘reasonable identifiable’ as a result
  2. When the breach results in serious harm to one or more individuals (while “serious harm” is not defined in the Privacy Act, this may include serious physical, psychological, emotional, financial or reputational harm)
  3. When your business have not been able to prevent the likely risk of serious harm with remedial action

Your business must carry out the following steps if a suspected breach has occured:

  • Notify individuals at risk of serious harm and the Privacy Commissioner about the eligible data breach
  • Provide an eligible Data Breach Statement

Failure to report a data breach will amount to penalties for breaching the Privacy Act itself, resulting in regulatory actions and fines.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: