Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Australia’s Notifiable Data Breaches scheme (under the Privacy Act), requires entities to provide notice as soon as practicable to the Office of the Australian Information Commissioner and affected data subjects if there are reasonable grounds to believe that an 'eligible data breach' has occurred (with a few exceptions).
If a possible breach is suspected, entities must take all reasonable steps to complete an assessment within 30 days. An 'eligible data breach' occurs when a reasonable person would conclude that there is a likely risk of serious harm (physical, psychological, emotional, economic, financial or reputational) to any affected individuals as a result of:
- unauthorized access/disclosure of personal information (including TFNs); or,
- when information is lost and unauthorized access/disclosure is likely.
Other data breaches may still be reported voluntarily to affected individuals and the regulator to meet the entity's ongoing data security obligations under the Privacy Act or health records laws (e.g. the obligation to take reasonable steps to protect the personal information from: unauthorized loss or disclosure; or, interferences, modification or misuse). There are also non-binding guidelines issued by various regulators which encourage notification if serious harm is likely as a result of the breach.
HR Best Practices: Incidents in the employment context which might trigger a requirement to notify include a laptop left on a train that includes TFN information. As a best practice, employers should prepare a data breach action plan with notification, incident documentation and response procedures.