On 22 February 2018, the Australian Government introduced a data breach notification scheme within the Privacy Act 1988 (Cth) (‘The Act’). The Notifiable Data Breaches Scheme (‘Scheme’) is primarily concerned with the privacy of individuals and their personal information.
The new legislation
The Scheme requires certain entities to notify affected individuals if there is a data breach involving personal information that is likely to cause serious harm to individuals. The entity must also notify the Privacy & Information Commissioner (‘Commissioner’).
The Scheme seeks to protect the information held by businesses from misuse, loss, interference and unauthorised access. The Commissioner has the authority to investigate whether an entity has complied with its obligations under the Act and can make determinations under the Act.
Individuals affected by a data breach can apply directly to the Commissioner to investigate suspected breaches and may also seek relief in the Federal Court.
The scheme does not affect, or remove, existing disclosure obligations applicable to Australian businesses.
Application of the new legislation
The new legislation does not apply to small businesses, which is defined by the Act as any business with an annual turnover of less than $3,000,000. This means that many South Australian businesses will not be required to comply with the Scheme.
Other considerations for small business
However, small businesses should review the way in which they store personal information; obligations to maintain security are not limited to the Privacy Act or the Scheme.
Small businesses should take all reasonable steps to keep secure any personal information held by them. Further, businesses should consider having a clear response plan for any data breach, in order to minimise the potential harm caused by the breach.
If you are unsure about your obligations relating to storing data within your business or would like any further advice, please contact one of our conveniently located offices for a first free ½-hour appointment.