Contact: Mark Poretti
An external hack into a business’s data base. An accidental slip of the finger, sending an email to the wrong recipient. A forgetful moment leaving a work phone or laptop at a café or on public transport.
All businesses at some point would have encountered these situations and most probably dealt with them internally and privately – that is, up to now. Commencing 22nd of February 2018, these unintentional disclosures of personal information may be subject to mandatory notification under the new Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (‘the NDB Act’), which amends the Privacy Act 1988 (Cth) (‘Privacy Act’).
What did we have before?
Prior to the NDB Act, the privacy of personal information was protected by the Privacy Act and the Australian Privacy Principles (‘APP’). The Office of the Australian Information Commissioner (‘OAIC’) could investigate privacy breaches and impose civil penalties on offending entities. Entities that dealt with personal information were encouraged to be transparent and report privacy breaches, however notification was not mandatory.
Why the change is needed?
Businesses, as have our lives generally, are becoming increasingly digital and relying more on technology. However, the enhanced efficiency and effectiveness of information technology opens up businesses to the risk of cyber-crime, hackers and inappropriate disclosures of information.
This has not gone unnoticed by the community which has become increasingly concerned about privacy. In a survey conducted by the OIAC in 2013, 89% of participants noted that they worry about the security of their personal information when using the internet, two thirds expressed concern that they may be a victim of identity theft and fraud in the next year and one third expressed they had a problem with the way their personal information was handled in the previous year. 
The reality is that fraud and identity crime has increased over the years, costing the Australian economy $AUD2.4 billion in 2014. In a survey conducted in 2014 of businesses, 25% of businesses noted that they suffered an IT security breach in the last year and 60% said they suffered one in the last 5 years. 
What are the changes?
The NDB Act will require APP entities to mandatorily notify an eligible data breach to the Commissioner and to those individuals whose information has been inappropriately disclosed.
The NBD Act will apply to all APP Entities. APP entities are:
There are certain entities that are exempt from the NDB Act.
Eligible Data Breach
An eligible data breach has the following elements:
If there is a potential eligible data breach but the entity has undertaken remedial actions that have been effective in lessening the severity of the harm to a below “serious” level, the need to disclose is negated.
The entity must notify the Commissioner and affected individuals as soon as practicable after it has reasonable grounds to believe there is an eligible data breach. The notification must include:
Entities do not necessarily have to notify all its clients or customers if the disclosure was not entity wide. Instead notification is only required for “at-risk” individuals by any means of communication the entity considers effective, including by telephone, email, website or social media.
Failure to notify
If the Commissioner suspects there is an eligible data breach and no notification has been provided, the Commission will invite the entity to give a submission about the potential breach. Following this, the Commissioner may make a written direction ordering the entity to make a notification. Further failure will be considered an interference with the privacy of the individual under the Privacy Act and the Commissioner may exercise its powers investigating, enforcing undertakings and applying for civil penalties for serious breaches.
What does this mean for your business?
Businesses should appreciate that these changes call for a holistic response to how personal information collected by them is handled. The NDB Act is not only intending to protect against malicious breaches of personal information, but also aims to deal with inadvertent, reckless or negligent breaches. Examples of potential eligible data breaches cited in the explanatory memorandum of the NDB Act include leaving a work laptop in a public area, accidently sending an email containing personal information to the incorrect recipient, negligent disposal of hard disk and allowing an employee access to confidential information that they should not be privy to within the organisation.
Accordingly, businesses should not only be looking to invest in more effective IT security systems, they should also be looking to implement more effective internal management policies. Employers should invest in developing contingency plans to respond to potential breaches and ensure that all its employee are aware of the impact of the NDB Act. As employers move to flexible work arrangements allowing employees to work from outside the office, employers need to consider how they can ensure that their employees will be able to mitigate from data breaches.
The NDB Act reflects a significant shake up to how the privacy of personal information is protected in Australia and businesses should be prepared and be aware of how the changes will affect them.
The information in this document represents general information, and should not be relied for your specific circumstances. If you require legal advice and assistance on the matters contained or associated in this document you should contact Trinity Law. Subject to the limits of the law, Trinity Law disclaims any liability on persons relying on this document.
 Community Attitudes to Privacy Survey Research Report 2013, Office of the Australian Information Commissioner, 2013 (Community Attitudes Report).
 Identity Crime and misuse in Australia: Results of the 2014 online survey, Australian Institute of Criminology Research and Public Policy Series 130.