The new Data Breach Notification laws will apply to small businesses and not for profit organisations that have had a turnover of over $3,000,000 in any financial year since 2002. If a business has not traded for a full 12 months, consideration must be given to what an estimated annual turnover will be.

Government agencies will also be required to comply with the new laws.

Generally speaking, most small businesses will not have to comply, however there are exceptions. A small business with an annual turnover of $3 million or less will have to comply with the Data Breach Notification laws if it is:

• A health service provider
• Trading in personal information (e.g. buying or selling a mailing list)
• A contractor that provides services under a Commonwealth contract
• A reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)
• An operator of a residential tenancy database
• A credit reporting body
• Employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
• Businesses that conduct protection action ballots
• Businesses that are related to a business that is covered by the Privacy Act
• Businesses prescribed by the Privacy Regulation 2013 or
• Businesses that have opted in to be covered by the Privacy Act.

A checklist has been created to help organisations determine if they fall into any of the above categories. The checklist can be found here.

An eligible data breach occurs when there is:

• Unauthorised access to personal information
• Unauthorised disclosure of personal information
• Loss of personal information

This personal information is held by a business and a reasonable person would conclude the loss, disclosure or access of this information is likely to cause serious harm to any of the individuals to whom the information relates.

Examples of an eligible data breach include:

• A database containing personal information is accessed by hackers
• A laptop or phone that contains customers’ personal information is lost or stolen
• An employee browses sensitive customer information without any legitimate purpose
• A contractor working on a database containing customer information takes their own copy on a USB

If a business has reasonable grounds to suspect a data breach has occurred, it must carry out a reasonable assessment within 30 days of the breach occurring. This will allow the business to identify that an eligible data breach has occurred and the correct notification process can then be followed.

However, if remedial action is undertaken and serious harm is not likely to occur, this would not be deemed an eligible data breach.

Personal information is defined by the Office of Australian Information Commissioner as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not’

Common examples of personal information include an individual’s:

• Name
• Signature
• Address
• Telephone Number
• Date of Birth
• Medicare Card
• Driver’s License
• Passport
• Medical Records
• Bank Account Details
• Employment Details
• Credit Information
• Tax File Information
• Commentary or Opinion about a Person e.g. Employment Referee’s comments

Sensitive information can also be classed as personal information. This can include information or opinion about an individual’s:

• Racial or Ethnic Origin
• Political Opinion
• Religious Beliefs
• Sexual Orientation
• Criminal Record

Personal information of one individual may also be personal information of another individual. However, personal information will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances.

It is important to also note that business information is not generally considered to be personal information. However, in some cases, personal information may be so interconnected with that business that it could constitute personal information. This can be the case for businesses that are sole traders or partnerships as well as smaller companies with one director.

According to the Office of Australian Information Commissioner, whether an individual is reasonably identifiable from particular information will depend on considerations that include:

• The nature and amount of information
• How the information was obtained
• Who will have access to the information
• Other information either held by or available to the business that holds the information
• If the information is publicly released, whether a reasonable member of the public who accesses that information would be able to identify the individual.

The following are given as examples of how those considerations may apply to particular items of information:

• Information that an unnamed person with a certain medical condition lives in a specific postcode area may not enable the individual to be identified. This would not be considered personal information. However, it may be personal information if held by a business or individual with specific knowledge that could link an individual to the medical condition and the postcode.
• A common surname that is shared by many people may not be personal information that would reasonably identify a particular individual. However, combined with other information, such as address or other contact information, it may be personal information

Whether a person is reasonably identifiable is an objective test that has practical regard to the context in which the issue arises. Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as personal information.

Where it is technically possible to make an identification, a business must consider the likelihood of this occurring by considering such factors as:

• The time and cost of identifying the person
• The resources and operational capacity of the business holding that information
• Whether a person (or business) might be especially motivated to attempt to identify someone

An individual may not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly in all the circumstances.

Where it is unclear whether an individual is reasonably identifiable, a business should err on the side of caution and treat the information as personal information.

Serious harm in itself is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious:

• Physical harm
• Psychological harm
• Emotional harm
• Financial harm
• Reputational harm

Examples of serious harm to an individual include:

• Identity theft
• Significant financial loss by the individual
• Threats to an individual’s physical safety
• Loss of business or employment opportunities
• Humiliation, damage to reputation or relationships
• Workplace or social bullying or marginalisation

Consideration must be given to the likelihood of a particular harm occurring, as well as the anticipated consequences for individuals whose personal information is involved in the data breach if the harm materialises.

When a business has reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Information Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.

The notification to affected individuals and the Commissioner must include the following information:

• The identity and contact details of the organisation
• A description of the data breach
• The kinds of information concerned and;
• Recommendations about the steps individuals should take in response to the data breach.

A template for notification has been developed and is available here.

The Notifiable Data Breaches Scheme provides flexibility around notifying an individual, providing three different options. These options depend on what is ‘practical’ for the business and are as follows:

Option 1 – Notify all individuals

If it is practical, a business can notify all of the individuals to whom the data breach relates. This option may be suitable if a business cannot easily determine which particular individuals have been breached. This approach ensures that all individuals that may be at serious harm are notified.

Option 2 – Notify only those individuals at risk of Serious Harm

If practical, a business can notify only those individuals that are at risk of serious harm from the eligible data breach. This requires a business to be able to easily identify individuals or a specific subset of clients that have been affected and need to be notified.

The benefit of this targeted approach is that it avoids unnecessary distress to individuals that are not at risk whilst also reducing the administrative costs involved.

Option 3 – Publish Notification

If neither option 1 or 2 above are practicable, then the business must:

• publish a copy of the statement on its website, if it has one
• take reasonable steps to publicise the contents of the statement

This option would likely be required in the event that a business does not have up-to-date contact details for all individuals.

Businesses must take proactive steps to publicise the eligible data breach rather than just simply posting the information to a website. This will increase the likelihood that the eligible data breach will come to the attention of individuals at risk of serious harm.

While the Privacy Act 1988 (Cth) does not specify the amount of time that an entity must keep the information accessible on their website, the Information Commissioner would generally expect that it is available for at least 6 months.

The Data Breach Notification laws states that a civil penalty can be applied to a business. Individuals face a maximum fine of $360,000 and businesses $1,800,000 for serious or repeated interference of an individual’s privacy.

Each quarter, the Office of Australian Information Commissioner will release their report based on notifications received. To read these, visit the below pages:

• 2018 – Quarter 1

Businesses need to ensure they have planned adequately for the introduction of the new Data Breach Notification laws. Businesses need to consider the following:

• Assess and update its Privacy Policy
• Review its existing processes around data security
• Review relevant contracts with key suppliers to determine how information is to be handled
• Educate relevant staff on upcoming Data Breach Notification laws
• Create Data Breach management strategy
• Consider Cyber Insurance to protect the business against financial loss

For a detailed overview, please visit our step by step guide for preparing your business for the Data Breach Notification laws.