Notifiable Data Breach Scheme
The Office of the Australian Information Commissioner (OAIC) runs the Notifiable Data Breach Scheme that deals with Australian Privacy Principle (APP) entities who believe they have been subject to an ‘eligible data breach’.
Any APP entity is required to self-report to the OAIC if they have committed or are likely to commit an eligible data breach.
When can an eligible data breach occur?
- Unauthorised access to personal information has occurred or is likely to occur;
- The disclosure is likely to result in serious harm to the individual affected; and
- The APP entity is unable to prevent the risk by undertaking remedial action.
In these instances, the entity is obliged to make a mandatory notification to OAIC.
Making a mandatory notification: What to do if you suspect there has been a data breach?
A notification would need to made in circumstances where personal information is lost or stolen or part of a database/computer system that is hacked or mistakenly provided to the wrong person.
In the case of any suspected breach, the entity must undertake an investigation. Once identified, the breach must be reported to both the individual(s) affected and the OAIC. The OAIC will then investigate the suspected breach.
The entity must then undertake remedial work to fix the breach and secure its processes so it doesn’t happen again.
Notifiable Data Breach Scheme
The OAIC also provide guidance and advice to all APP entities, especially those that have made a mandatory notification.
The Notifiable Data Breach Scheme facilitates any notifications to individuals affected by a data breach, so they are aware and can take their own actions to protect their privacy.
When a data breach occurs, who is liable?
When a data breach occurs in the context of an association it is important to understand the liabilities of associations and individuals (both committee members and non-committee members) in such an occurrence.
The OAIC has the power to apply to the Federal Court of Australia for an order that an entity has broken a civil penalty provision.
What is a civil penalty provision?
A civil penalty is a financial penalty imposed by courts. State and Commonwealth government bodies such as the OAIC can apply to the courts to have a financial penalty imposed against an entity or individual. Unlike criminal penalties, civil penalties do not include criminal convictions or imprisonment.
A civil penalty provision is only one of the options the OIAC has. It can also take action for serious or repeated interferences with privacy.
Insofar as who is liability for any breach, the APP entity generally bears the liability for any civil penalty provisions.
In exceptional circumstances, individuals can be personally liable where they knowingly attempt or are involved in deliberately inducing a civil penalty provision.
In other cases where the entity is said only to be liable, liability for the entity and individual will depend on the legal status of the association.
An incorporated association has it owns legal identity and is capable of suing and being sued.
An unincorporated association has no legal identity and its acts are attributable to the individual members
How to prevent civil penalty provision orders
The OAIC are unlikely, to pursue civil penalty provision orders if:
- the privacy breaches are minor
- self-reporting is prompt
- an investigation is undertaken thoroughly
- appropriate remedial actions are instigated
The OAIC will more likely consider civil penalty provision orders:
- where the breaches are serious, reckless or intentional
- there have been multiple instances and increasing seriousness
The OAIC has the discretion to consider and advise on whether they choose to seek a pecuniary penalty, and not all serious or repeated breaches will be actioned.
Whilst breaches of the APPs are punishable through provisions in the Privacy Act, the OAIC operates not only to address breaches but also to educate and guide entities. An entity can avoid penalties by being diligent, acting promptly, and regularly reviewing their position on privacy and their legal obligations.
This blog post has been written by Law Clerk, Antony Boonen and settled by Partner, Felix Hoelscher.