For the first time in Australia, there will be an obligation on brand owners to notify both the OAIC and the affected individuals of a serious data breach of personal information the brand holds. The UK and some US states already have express notification requirements. This will require a timely assessment of whether a data breach has occurred and whether the criteria for notification have been met.
A ‘serious data breach’ is defined as being:
What constitutes ‘harm’ is broadly defined to include psychological, emotional, physical and financial harm. Brand owners will need to assess whether there is a ‘real risk of serious harm to an individual’, taking into account factors such as:
Where there is a real risk of serious harm, the company will have an obligation to notify the OAIC as well as the affected individuals. The notification must be given ‘as soon as practicable’ after either the company becomes, or ought reasonably to have become, aware of the breach, with a maximum time of 30 days. Given that the timing requirement potentially relates to when a brand owner should have become aware of a breach, a greater emphasis on the detection of unauthorised access to data may be required for some organisations.
In terms of data that is sent overseas for processing by third party providers, Australian brand owners must ensure they know when a data breach occurs with respect to the information that it has disclosed to the overseas provider. This may require local brands to reassess their contracts to ensure these obligations are met.
A failure to give notification is taken in and of itself to be a breach of the Privacy Act an interference with the privacy of an individual. The costs associated with complying with this proposed legislation may be significant both in terms of monitoring and compliance, and the potential indirect costs of negative publicity following a data breach.
The exposure draft is open for public comment until 4 March 2016. It’s expected the Bill will be introduced into Parliament in 2016 and the notification requirements would become effective within 12 months.
You can find more information about the AANA codes of conduct for advertising along with an overview of advertising regulation here https://aana.com.au/advertising-regulatory-guide/