New laws have passed which may require your organisation to notify its clients and the Office of the Australian Information Commissioner (the Commissioner) if personal information held by it has been accessed without authority (for example by hacking) or has been disclosed without authority (for example published on the internet). These laws came into effect on 22 February 2018.
The new laws apply to organisations that must comply with the Privacy Act (1988). These organisations include government agencies, businesses and not for profit organisations that have an annual turnover of $3,000,000 or more, health providers and credit providers.
Where there has been an unauthorised access to or unauthorised disclosure of personal information held by your organisation that is likely to result in serious harm to an individual and your organisation has not been able to prevent the risk of serious harm with remedial action, then it must promptly notify the affected individuals and the Commissioner.
Examples where you must notify individuals and the Commissioner include lost or stolen laptops containing personal information, your databases being hacked, paper records stolen from rubbish bins, or an agency sending out personal information to the wrong email addresses. Remedial action that can be taken by your organisation which avoids the need for notification includes remotely deleting personal information on lost or stolen laptops or securing control of your databases after it has been hacked and assessing what personal information, if any, has been accessed.
The consequences of failing to comply with the new laws include a civil penalty order against the organisation of up to $1.8 million, where there is a serious or repeated interference with privacy.
If you have any queries about your obligations under these new laws or require any further advice, please contact our experienced lawyers in our dispute resolution department, Will Punivalu or Kristina Dimasi.