Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Beginning February 22, 2018, a new mandatory data breach reporting scheme will go into effect in Australia (Privacy Act, Part IIIC). The Notifiable Data Breaches scheme will require entities to provide notice as soon as practicable to the Office of the Australian Information Commissioner and affected data subjects if there are reasonable grounds to believe that an 'eligible data breach' has occurred (with a few exceptions). If a possible breach is suspected, entities must take all reasonable steps to complete an assessment within 30 days.
An 'eligible data breach' occurs when a reasonable person would conclude that there is a likely risk of serious harm (physical, psychological, emotional, economic, financial or reputational) to any affected individuals as a result of:
- unauthorized access/disclosure of personal information (including TFNs); or,
- when information is lost by and unauthorized access/disclosure is likely.
Other data breaches may still be reported voluntarily to affected individuals and the regulator to meet the entity's ongoing data security obligations under the Privacy Act or health records laws (e.g. the obligation to take reasonable steps to protect the personal information from unauthorized loss or disclosure or interferences, modification or misuse). There are also non-binding guidelines issued by various regulators which encourage notification if serious harm is likely as a result of the breach.
HR Best Practices: Incidents in the employment context which might trigger a requirement to notify include a laptop left on a train that includes TFN information. As a best practice, employers should prepare a data breach action plan with notification, incident documentation and response procedures.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.