Mandatory Data Breach Notification – Tips and Traps by Cheng Lim

Complete the form to receive a copy of the whitepaper.

Technology is moving fast and altering the legal landscape of your clients, and we at LexisNexis are keeping our finger on the pulse of change – with the help of our expert authors.

Cheng Lim, Partner at King & Wood Mallesons, focuses on some of the subtleties and nuances of Mandatory Data Breach Notification requirements. His recent article, Mandatory Data Breach Notification – Tips and Traps sets out key aspects of the legislative changes that may not be immediately obvious.

Mandatory data breach notification came into effect in Australia on 22 February 2018. At its core, this data breach notification regime requires APP entities to notify both the Privacy Commissioner and affected persons if there is an “eligible data breach” (a data breach which is likely to cause serious harm to individuals).

By now, I hope there are only a few APP entities unaware of this and which have not taken steps to prepare for it coming into force.  So, rather than restate the operation of the regime, this article focuses on some of its subtleties and nuances and sets out some tips and traps which may not be immediately obvious.

The data breach notification regime sits within the framework of the Privacy Act 1988 (Cth) (Privacy Act).  It therefore follows that the scope of the notification obligations, the entities bound by it and the remedies available for enforcement of the regime are determined by reference to the Privacy Act. Accordingly:

1. Personal Information. As the Privacy Act only protects personal information, the mandatory data breach notification regime only requires notification of breaches involving personal information. So a data breach involving unauthorised disclosure of or access to information about corporates or other legal entities which are not individuals will not need to be notified.

An interesting question arises in the context of cloud service providers which may hold customer information in an encrypted form – if the cloud service provider does not have the keys to the encrypted information, then it is likely that the information is not “personal information” in the hands of the cloud service provider, and any data breach involving that information would not be notifiable by the cloud service provider under the data breach notification scheme.

Similarly, as acts and practices of organisations in relation to employee records are exempt from the Privacy Act, breaches involving the disclosure of employee records are not eligible data breaches and therefore do not need to be notified. As this exemption is not applicable to agencies, any breaches involving the disclosure of employee records of agencies could be eligible data breaches which need to be notified.

Of course, we would expect that as a matter of good practice, APP entities which suffer material data breaches would be likely to notify affected persons or entities (particularly their employees!), whether or not legally required to do so.

Fill out the form to download the full copy of the whitepaper.