New requirements under the Privacy Act 2020 — Mandatory notifications for serious privacy breaches

30 November 2020

The new Privacy Act 2020 (Act) comes into force on 1 December 2020.

One of the more significant changes introduced is the requirement of mandatory breach notifications for serious breaches of privacy. This new framework places a higher responsibility on agencies to notify the Privacy Commissioner and affected individual(s) when there has been a serious breach.

A privacy breach is any unauthorised or accidental access to, or disclosure, alteration, loss or destruction of personal information. It can also include a situation where an agency is prevented from accessing personal information held, permanently or temporarily.

The threshold for the requirement of a mandatory breach notification is high, and the test is whether it has caused or is likely to cause serious harm to an individual. If this threshold is met, the Privacy Commissioner and the affected individual(s) must be notified.  If an agency fails to notify the Privacy Commissioner and/or affected individual(s) of a privacy breach, they may be liable for a fine of up to $10,000.

The Office of the Privacy Commissioner has created an online tool called “NotifyUs” to streamline the process of reporting privacy breaches. You can visit this online tool here.  NotifyUs includes a self-assessment tool to help agencies that have experienced a data breach work out if the breach has caused or will cause serious harm. Factors that will be taken into consideration when assessing serious harm include:

  1. The sensitivity of the information in question;
  2. Actions taken by the agency to reduce the risk of harm;
  3. The nature of the harm that may arise;
  4. The recipient that has the personal information as a result of the breach; and
  5. What security measures have been placed on the information (i.e. encryption or password protections).

If the self-assessment tool recommends the Privacy Commissioner should be notified, the tool can be used to directly submit the information to the Privacy Commissioner.

If an agency considers there has been a breach that has caused or is likely to cause serious harm, they should also notify the affected individuals as soon as possible after becoming aware of the breach. Failure to notify the individuals may be considered an interference with the individuals’ privacy under the Act. However, an agency should be cautious about notifying individuals too soon. Although it comes with best intentions, it can sometimes cause more harm to the individual (including stress).  Agencies must protect individuals’ rights to privacy without inducing unnecessary fear and anxiety where there has been no actual loss or harm to individuals or where they have not established whose personal privacy may have been breached.

Agencies will be expected to make their own decisions on whether individuals need to be notified in each instance. It is recommended that agencies have a Privacy Policy which explains how the agency will comply with the Act and what internal procedures will be taken when the agency becomes aware of a potential privacy breach, including how and when notifications to individuals will be made. An agency is also required to have an appointed Privacy Officer who will be responsible for encouraging an agency to comply with the Information Privacy Principles, dealing with requests made under the new Act, working with the Privacy Commissioner in relation to investigations and ensuring an agency is complying with the provisions of the new Act.

Our Commercial Disputes and Employment Team is here to assist with your privacy queries, or to assist as your organisation’s Privacy Officer.

Commercial Disputes & Employment Team