FAQ – Compiled from feedback at our recent presentations.
What counts as “serious harm”?
Things to consider when deciding if there is serious harm include:
- the action you took to reduce the risk of harm following the breach
- whether the personal information is sensitive (e.g. health information)
- the nature of the harm that may be caused to affected individuals
- who obtained (or may obtain) personal information as a result of the breach
- whether the personal information is protected, e.g. by a password or encryption.
What do I do if I know that I have breached ?
If you have committed a notifiable breach, subject to some limited exceptions (discussed below), you must use a prescribed form to notify the Privacy Commissioner and affected individuals. If it isn’t reasonably practicable to notify affected individuals, you must give public notice of the breach.
This notice must be given as soon as reasonably practicable after becoming aware of the breach. In practice, this means you must quickly assess whether the breach is notifiable, and if it is, you must provide the notice as soon as possible.
Are there any exceptions?
There are carve-outs to the notification requirement for affected individuals, as follows.
- You do not need to disclose if doing so would prejudice maintenance of the law, endanger a person’s safety, or reveal a trade secret.
- You may delay notifying affected individuals if to do so risks the security of other personal information held by you and those risks outweigh the benefits of informing affected individuals. E.g., if you identified a security vulnerability, you may wish to delay informing affected individuals until the vulnerability is fixed. As soon as the grounds for delay no longer exist, you must inform affected individuals of the breach.
Despite these carve-outs related to affected individuals, you must always notify the Privacy Commissioner of the notifiable breach as soon as practicable.
Failing to give the notice without a reasonable excuse may result in a fine of up to $10,000 or the issue of a public compliance notice. Given this, we suggest you err on the side of caution when assessing whether to notify a breach.
How can I get my business prepared for the changes to the Privacy Act?
- review and update your internal practices and systems to ensure they align with what will soon be required under the Act. Think about including processes to enable you to quickly detect breaches, to respond promptly to minimise harm, and to provide notice of a breach if required
- develop a clear view of what personal information you hold, including where it is stored and who accesses it
- provide additional training to staff who handle personal information.