On 22 February 2018 new laws came into operation requiring businesses regulated by the Privacy Act 1988 to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of certain data breaches. Johanna Churchill, of Norman Waterhouse Lawyers has prepared this information for Food South Australia. Norman Waterhouse Lawyers are Associate Sponsors of Food South Australia.
The Privacy Act regulates business in the food sector that:
- have an annual turnover of over $3m
- trade in personal information (e.g. buying or selling a mailing list)
- provide services under a contract with the Commonwealth
- are related to another business regulated by the Act.
The OAIC is responsible for the implementation and enforcement of the Act.
General requirements of the Privacy Act
The Privacy Act requires businesses that are caught by the Act to comply with the Australian Privacy Principles (APPs) that are set out in that Act. The APPs are a series of general requirements dealing with the collection, use and storage of personal information by businesses. They include the requirement for the relevant business to:
- only collect, use and store personal information for permitted purposes
- take all reasonable steps to protect all personal information collected or stored from unauthorised access, use or disclosure
- implement practices and operating systems that ensure compliance with the Act
The APPs contain additional requirements in relation to dealings with certain kinds of personal information (sensitive information) such as information about an individual’s health or disability, racial or ethnic origins, political opinions or associations, religious beliefs, membership of a professional or trade association or union, sexual orientation or practices or criminal record.
They also contain additional requirements for businesses that disclose or make personal information available to overseas entities (including overseas IT and other service providers) and businesses that collect or use personal information for the purposes of direct marketing.
For the purpose of the Act, “personal information” is any information in any form which may be used to identify an individual including names, contact details, places of employment as well as photographs, video recordings and other images of individuals.
New reporting of data breach requirements
As from February this year, any unauthorised access to or disclosure of personal information about an individual, or any loss of such information which may lead to unauthorised access or disclosure, must be notified if there is a likely risk of serious harm to the affected individual as a result of such unauthorised access or disclosure.
Serious harm is defined very widely to include physical, psychological, emotional, economic and financial harm as well as harm to reputation. Such harm is to be regarded as a likely risk if a reasonable person would consider it more probable than not that the serious harm will occur, having regard to a list of relevant matters to be set out in the Privacy Act.
If a business regulated by the Privacy Act suspects that such a data breach has occurred, it must investigate the matter. If the business determines that there are reasonable grounds to believe that such a data breach has occurred, it must notify the OAIC and the affected individuals as soon as practicable. However, there will be no obligation to make such notifications in cases where the business takes remedial action which prevents any unauthorised access or disclosure of the relevant information, or which prevents the likelihood of serious harm to the affected individuals.
When notifying individuals of a data breach, businesses may notify each individual affected by any kind of unauthorised access to, or disclosure or loss of, personal information, or only those individuals affected by an data breach of the kind described above (i.e. where there is a likely risk of serious harm to the affected individuals as a result of such unauthorised access or disclosure).
If a business fails to comply with these new notification requirements, the business will be in breach of the Privacy Act. The OAIC may exercise various powers in respect of such breaches including seeking enforceable undertakings from the business and, for serious or repeated breaches, pursuing civil penalties against the business.
Time to act
Having to notify customers and other business contacts affected by a data breach can cause significant damage to customer confidence in the business as well as tarnish the general reputation of the business.
In order to comply with these new requirements, businesses should immediately take the following steps:
- update their Privacy Policies and Privacy Collection Statements
- update their privacy breach response plans or procedures to firstly, provide for immediate remedial action to be taken which may avoid the requirement for notifications to be made in respect of eligible breaches, and to provide for notifications to be made when necessary
- conduct appropriate staff education and training in respect of these changes to the Privacy Act, and the new privacy breach response plans or procedures for the business
- review contracts with service providers, and if necessary, update them to require the service provider to assist the business in identifying and notifying eligible data breaches as required.
For more specific information on any of the material contained in this article please contact Johanna Churchill on +61 8 8210 1236 or email@example.com. Johanna is a Board Member of Food South Australia and a partner of Norman Waterhouse Lawyers. She advises on a wide range of corporate and commercial matters and has a particular interest in the food industry. Norman Waterhouse Lawyers is an Associate Sponsor of Food South Australia.