This month at HR Breakfast Club on privacy policy, we discussed the obligations under the Privacy Act 1988 including the Australian Privacy Principles and the mandatory notification procedure for eligible data breaches. BAL Lawyer, Lauren Babic shared some insights on the responsibilities surrounding information and privacy law.

What is an eligible data breach?

An eligible data breach is either:

  • Unauthorised access or disclosure of information that a reasonable person would conclude is likely to result in serious harm to any individuals to whom the information relates; or
  • Information that is lost in circumstances where unauthorised access or disclosure of information is likely to occur and it can be reasonably concluded that such an outcome would result in serious harm to any of the individuals to whom the information relates.

How and when is notification given?

Notification relating to an eligible data breach is a written statement to the individuals affected by the breach and the Office of the Australian Information Commissioner and must include:

  • A description of what occurred;
  • The kinds of information concerned; and
  • The recommended next steps that individuals affected should take in response to the data breach.

In certain circumstances, the Commissioner may declare that notification and a written statement about the eligible data breach is not necessary. The Commissioner may make this determination having considered factors such as the public interest, advice given to the Commissioner by an enforcement body or any other matters the Commissioner considers relevant.

When is it not an eligible data breach?

  1. You ‘take action’ in relation to the access or disclosure before any serious harm and, as a result of the action, a reasonable person would conclude the access or disclosure will not be likely to result in any serious harm; or
  2. You ‘take action’ in relation to any loss of information before any unauthorised access or disclosure and, as a result of the action, there is no unauthorised access or disclosure; or
  3. You ‘take action’ in relation to any loss of information after unauthorised access or disclosure but before any serious harm and, as a result of the action, a reasonable person would conclude the access or disclosure will not be likely to result in any serious harm.

If you follow one of the above steps, then you may not be required to notify the individual affected by the data breach.

If you require any assistance with preparing a privacy policy or advice on the eligible data breaches scheme, please contact our Business Team at BAL Lawyers.

Our next HR Breakfast club will be held on Friday 16 August 2019 on the topic Leadership in a changing, dynamic and volatile environment, presented by Major General Gus McLachlan of PeopleScape.  Please visit our HR Breakfast club page to RSVP.