New notification requirements under the privacy act
The Privacy Amendment Act 2017, for Notifiable Data Breaches, was introduced early this year as an amendment to the Privacy Act of 1988, which will see mandatory ‘eligible data breach’ notification requirements for entities regulated by the Privacy Act. The new requirements are set to be in place from 22 February 2018.
Once the Act takes effect, new obligations will be placed on entities regulated by the Privacy Act to notify any individuals likely to be at risk of serious harm by a data breach. This notice must include recommendations about the steps that individuals should take in response to the data breach. The concept of what is regarded as an eligible data breach is explained below:
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates, examples of a data breach include:
- there is unauthorised access to, or unauthorised disclosure of, information held by an entity; or
- information is lost in the circumstances where there is likely to be unauthorised access to or unauthorised disclosure of information;
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the Information relates.
Fund Managers, administrators and registry providers, as recipients and sources of personal information for every unit/ shareholder, are highly exposed to potential data breaches. The amendments to the Privacy Act place further obligations upon trustees, their administrators, Insurers and their staff to ensure that they maintain the security of personal information received by them. As a starting point, confidentiality and privacy provisions in any agreement should ensure that a counterparty is required to notify the manager of any actual or potential breaches within a very limited timeframe.
These amendments will require those in charge of compliance to ensure that policies and procedures are put in place to ensure that those responsible can respond to any potential eligible data breach within the required time, by identifying, taking actions to remedy, and notifying parties of any eligible data breach.
As with many things in life, prevention is a good means of protection against a privacy breach. Investing in IT security and education of staff to lower the risk of data breach will reduce the likelihood of your organisation needing to respond to a Notifiable breach.
Should you have any questions in relation to this matter or would like additional information, please call your relevant ESV engagement partner on 02 9283 1666.