Judge gavel with Justice lawyers, Businessman in suit or lawyer working on a documents in courtroom. Legal law, advice and justice concept.
No Comments

By Geeti Chawla, Principal at Matthews Folbigg in the Commercial Law Group

In recent years, the Privacy Laws in Australia have undergone various amendments in an effort to make them more stringent and responsive to ensure that businesses are taking all necessary steps to protect personal information and to respond adequately in the event of a data breach.  The more recent high-profile data breaches have proved to be a turning point for the latest reform to the Privacy Act 1988 (Cth) (Act) in the form of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Amended Act), which came into effect on 13 December 2022.

The Amended Act introduced key changes in the form of:

  1. increased penalties for companies and individuals found to be in serious and/or repeated privacy breaches;
  2. greater regulatory powers of the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA), including OAIC’s power to require entities to implement procedures and provide their compliance with the Notifiable Data Breach (NDB) scheme[1];
  3. greater sharing powers of OAIC and ACMA to share information with other enforcement bodies and for OAIC to publish information and notices about specific privacy breaches affecting individuals;
  4. entities no longer being limited to Australian entities but including foreign entities carrying on commercial activity in Australia.

With the Amended Act, OAIC now also has broader powers to issue infringement notices for non-compliance for individuals and companies, where the maximum penalties for serious and repeated interferences with privacy have increased:

Maximum civil penalty for Under the Act prior to the Amended Act Under the Amended Act[2]
Companies (body corporate) $2,200,000 The greater of:

  • $50,000,000; or
  • 3 times the value of the benefit that the court determines the company to have obtained (directly or indirectly) attributable to the breach; or
  • 30% of the adjusted turnover of the company during the breach turnover period where the benefit cannot be determined
Individuals $444,000 $2,500,000

NDB Scheme

The NDB scheme was introduced in 2018 to mandate organisations and agencies to notify any affected individuals and the OAIC of any data breaches likely to result in serious harm to individuals where their personal information is involved.  Data breach is deemed to occur when personal information is lost, subject to unauthorised access or provided in error to another individual or entity.

For a data breach to qualify as NDB, the data breach:

  • is likely to have resulted in serious harm to one or more individuals; and
  • the likely risk of such serious harm has not been prevented by any measure or remedial action.

What happens in the event of a data breach?

There is no one way of responding to a data breach. Instead, it must be dealt with on a case-by-case basis.  However, OAIC recommends the following steps as a general framework for entities to implement in addressing data breaches:

  1. Contain or limit the data breach;
  2. Gather facts about the potential and actual risk of the data breach and if the breach qualifies as NDB;
  3. Notify OAIC and any affected individuals of the data breach; and
  4. Review the incident pertaining to the data breach and take appropriate action to prevent future breaches.

While the above framework outlines the steps entities should take after a data breach has occurred, it does not address prevention of data breaches.  The most efficient way to prevent a data breach is to establish a data breach response plan (Response Plan) before a suspected data breach.

Response Plan

A Response Plan is an integral plan of action for entities to adopt in order to recognise, report and respond to a data breach or a potential data breach. Depending on the nature of its business, clients, and the products and/or services offered by entities, a Response Plan should:

  • identify the type(s) of personal information held by the entity;
  • identify what constitutes a data breach;
  • identify the key individuals, including external advisors, who are to be notified of a suspected data breach;
  • clarify the roles and responsibilities of staff members and key individuals;
  • identify escalation protocols;
  • set out the process(es) to contain or limit the breach and the risk assessment(s) to be conducted; and
  • if applicable, comply with data breach notification laws in other jurisdictions.

What can you do?

It is the responsibility of entities in possession of personal information to ensure that proper policies and procedures are implemented to ensure compliance with the NDB scheme and the Act generally, especially to avoid the increased penalties under the Amended Act.  Therefore, it is prudent to review existing policies and procedures relating to personal information, such as privacy policies, and consider implementing a Response Plan.

If you would like personal advice for your business or wish to discuss implementing a Response Plan for your business, contact the Commercial Law team at Matthews Folbigg Lawyers here or call us on 9635 7966.

 

[1] Section 33C(ca) of the Privacy Act 1988 (Cth).

[2] Section 13G(2)-(3) of the Privacy Act 1988 (Cth).