Tag: mandatory data-breach notification scheme

1
The OAIC engages in more in-depth investigations and stronger exercise of its power
2
Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on
3
Mandatory data breach notification legislation up for discussion
4
AMCHAM Cyber Security Panel Luncheon

The OAIC engages in more in-depth investigations and stronger exercise of its power

By Cameron Abbott, Rob Pulham and Jacqueline Patishman

Following two key data incidents concerning how the Commonwealth Bank of Australia (CBA) handled data, the OAIC has successfully taken court action binding the banking heavyweight to “substantially improve its privacy practices”.

As a quick summary of the incidents, the first incident involved the loss of magnetic storage tapes (which are used to print account statements). These contained historical customer data including customer statements of up to 20 million bank customers. In 2016, the CBA was unable to confirm that the two magnetic tapes were securely disposed of after the scheduled destruction by a supplier.

Read More

Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on

By Cameron Abbott, Rob Pulham, Michelle Aggromito and Rebecca Gill

It’s been a little over a year since the notifiable data breach scheme was introduced in Australia. The Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report on 13 May 2019, detailing its insights to come out of the scheme’s operation over the past 12 months. As regular readers would no doubt be aware, the health sector was one of the top industry sectors to report breaches in the first 12 months of the scheme’s operation.

Read More

Mandatory data breach notification legislation up for discussion

By Jim Bulling, Cameron Abbott, Michelle Chasser and Meg Aitken

The Attorney-General’s Department has released for discussion, an exposure draft bill regarding mandatory reporting of serious data breaches. Notification requirements will apply to companies and information subject to the Privacy Act.

Under the proposal, a company would have up to 30 days after it is aware of a breach, or ought reasonably to be aware of a breach, to assess whether a data breach is a ‘serious data breach’. A serious data breach occurs if:

  1. there is unauthorised access or disclosure of information; and
  2. there is a real risk of serious harm to any of the individuals to whom the information relates.

When considering whether there is a real risk of serious harm to an individual the draft legislation lists a number of factors that should be considered including:

  1. the kind of information;
  2. whether the information is in a form that is intelligible to an ordinary person;
  3. whether the information is protected by security measures;
  4. the kinds of person who could obtain the information;
  5. the nature of the harm; and
  6. any mitigation steps taken by the company.

If the company determines that a serious data breach has occurred, it must notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable. The draft legislation also gives the OAIC additional powers to direct companies to undertake notification.

The proposal has a number of differences from the previous attempts to legislate mandatory data breach reporting which were made in 2013 and 2014. Most notably, previously the trigger for notification involved a belief that there had been a data breach, the current draft requires a company to be aware, or when it ought reasonably to be aware, of a breach. Additional types of specific harm are included in the current draft, however, this is unlikely to have a major impact in practice.

Currently, data notification is only mandatory for unauthorised access to eHealth information under the My Health Records Act 2012. However, the OAIC operates a voluntary data breach notification scheme which also uses the real risk of serious harm notification threshold.

The exposure draft and accompanying discussion paper can be found here. Submissions are due by 4 March 2016.

AMCHAM Cyber Security Panel Luncheon

K&L Gates partner, Cameron Abbott will feature as part of panel of professionals active in the Cyber industry at an American Chamber of Commerce (AMCHAM) luncheon on Wednesday 28 October 2015.

The panel will discuss developments in the world of cyber security, the intent of the mandatory data-breach scheme and the far reaching impact that cyber security breaches can have on a business’s reputation and value.

The session will be moderated by Dr Tobias Feakin, Senior Analyst and Director, International Cyber Policy Centre.

For full details of the event and to register click here

Copyright © 2019, K&L Gates LLP. All Rights Reserved.