Mandatory Data Breach Reporting
22 Feb 2017
On Monday 13 February 2017, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) was passed by both houses and is now awaiting Royal Assent.
The Bill will amend the Privacy Act 1988 (Privacy Act), introducing new requirements for Australian Privacy Principle (APP) entities in the event of certain breaches of personal information. No date has been fixed for commencement at this stage.
Most aged care providers will be APP entities to which the Privacy Act applies.
Notification requirements where a suspected eligible data breach has occurred
Under the new Bill, if an entity has reasonable grounds to suspect that there may have been an “eligible data breach” (in essence, a data breach which is likely to result in serious harm), the entity must, as soon as practicable after becoming aware of the suspected breach:
- carry out a reasonable and expeditious assessment of the circumstances of the suspected data breach; and
- if a breach has occurred, give a statement to the Office of the Australian Information Commissioner (Privacy Commissioner) and the affected individuals as soon as practicable after the entity is aware there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies). The statement must include specific information prescribed under the legislation, including recommendations about the steps individuals should take in response to the breach.
There are a few exceptions to the notification requirements and the following will be most relevant to aged care providers:
- The notification requirements will not apply where the organisation has taken action before the breach results in serious harm to the individual to whom that data relates, and because of the action taken by the provider, the breach is not likely to result in serious harm; and
- A provider will not be required to disclose again under the Privacy Act if the entity is already required to make notification of the information breach under section 75 of the My Health Records Act 2012.
Please contact us if you would like any more detailed advice about the new privacy legislation and what it means for your organisation.
We will notify subscribers when the legislation commences. If you would like to subscribe to our aged care legislation service please contact Julie McStay.
If you have any questions or require advice regarding the new mandatory data notification requirements, contact Julie McStay Director - Aged Care and Retirement Living.
This content is not intended to be legal advice.