Contributed by
AjunthaThinakaran and current to 27 July 2018
The
Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (the Data Breaches Act) provides that a notification of data breaches are to be made to both the Office of the Australian Information Commissioner (OAIC) and to any parties who are “at risk” because of the breach. The Data Breaches Act places a responsibility on corporate entities that store or possess personal information, including employers, to notify the OAIC if there has been, or is likely to be, a breach of personal information that does, or is likely to, cause serious harm to the said individuals. There is no definition of ‘serious harm’ in the Data Breaches Act. However, the Explanatory Memorandum provides some guidance. It states that ‘serious harm’ could include ‘serious physical, psychological, emotional, economic and financial harm’ as well as ‘as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach’.
The Data Breaches Act clearly lays down that entity itself must be one that falls within the purview of the Data Breaches Act. For companies that collect and store data, it raises issues of more, and potentially stricter, regulatory compliance requirements, increased cybersecurity costs and possible privacy-related legal actions resulting from data breaches.
The Data Breaches Act does not cover latent threats to individuals in relation to personal information that are likely to be or become available to third parties. One example of such information is any information in the public domain that is easily discoverable by third parties performing a simple internet search or phone directory search. These include information relating to an individual’s name, change of name (if any) by deed poll, postal address (that may be an individual’s residential address) and details of an individual’s profession or business. Another example is information which relates to the financial standing of an individual such as being declared bankrupt, the value of a residential house or even an official valuation. The availability of such information can lead to a general idea of an individual’s financial worth which may have implications to an individual being targeted for unwanted marketing, or scams such as identity theft and credit card fraud.
Some states, with the exception of Western Australia, also have information privacy legislation. A proposal by the state government to introduce state privacy legislation is currently under review.