Under changes to the Privacy Act which came into effect on 22 February 2018, relevant entities are required to take reasonable steps to notify affected individuals and the Commonwealth Privacy Commissioner if there has been:
- unauthorised access to, disclosure of, or loss of, personal information held by the entity, and
- a reasonable person would conclude that the access, disclosure or loss of the personal information is likely to result in serious harm to the individual
If the entity becomes aware, or has reasonable grounds to believe, that an eligible data breach has occurred, it must as soon as practicable take reasonable steps to notify affected individuals of:
- the identity and contact details of the entity (and any other entities it reasonably believes may have received/be responsible for the data breach)
- a description of the breach
- the nature of the personal information concerned
- recommended steps to be taken by the individual
and provide a copy of the notification to the Privacy Commissioner.
Significant penalties apply for non-compliance, including penalties of up to $360,000 for individuals and $1.8 million for companies.
Accordingly, we strongly recommend businesses review their contractual documents including terms of trade, privacy policies, and any agreements where the disclosure of personal information may be/is required, and implement best practices with respect to cyber-security and data protection.