Australian Privacy Act Incident Response Guidelines

Everything you need to know to prepare your business for Australia’s comprehensive privacy law

The Australian Privacy Act 1988 may be over 30 years old, but a steady stream of amendments have kept the law up to date with the recent global trend of comprehensive privacy legislation. Violating the law carries a potential fine of up to AU$2.1 million, making it critical for every organization to understand the requirements outlined in the latest version of the law.

Automate Australian privacy obligations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who is Subject to the Australian Privacy Act

Australian government agencies and organizations with an annual turnover of more than AU$3 million must comply with the Australian Privacy Act. Small business operators with an annual turnover of less than AU$3 million must also comply if they meet any of the following criteria:

  • Private sector health service provider
  • Business that sells or purchases information
  • Credit reporting body
  • Service provider for Australian government contract work
  • Employee association recognized under the Fair Work Act of 2009
  • Accredited business under the Consumer Data Right System
  • Business that has opted into the Privacy Act
  • Business related to another business subject to the Privacy Act (e.g. a subsidiary)
  • Business prescribed by the Privacy Regulation of 2013

The following organizations are exempt from compliance with the Privacy Act:

  • State or territory government agencies (including healthcare providers)
  • Individuals acting in their own capacity
  • Universities, other than a private university and the Australian National University
  • Public schools
  • Media organizations acting in the course of journalism, if the organization is publicly committed to observing published privacy standards
  • Registered political parties and political representatives
  • Small businesses with annual turnover of less than AU$3 million that do not meet the above criteria

Extraterritorial Scope

International organizations are only subject to the Australian Privacy Act if they have “an Australian link.”

What is an Australian link?
  • Being formed or managed in Australia
  • Conducting business in Australia
  • Collecting or holding personal information from Australian residents
What indicates an organization conducts business in Australia?
  • Having employees in the country
  • Running a website that offers goods or services to Australian citizens
  • Fulfilling orders from Australia
  • Collecting personal information from people physically located in Australia

Who Enforces the Law?

The Office of the Australian Information Commissioner (OAIC) is an independent agency under the Attorney General that is responsible for enforcing the Privacy Act

What Enforcement Powers Exist?

The OAIC has the power to issue guidelines on how it interprets the Privacy Act, investigate potential violations of the law, and issue fines accordingly.

What is the Penalty for Non-Compliance?

The maximum fine for failing to comply with the Privacy Act is AU$2.1 million. However, several recent amendments have proposed increasing the penalties.

Incident Response Measures Required Under the Australian Privacy Act

The Australian Privacy Act governs the way organizations can collect, use, and store personal information.

What is personal information?Information or an opinion about an identified individual or an individual who is reasonably identifiable
What is sensitive personal information?Information about an individual’s racial or ethnic origin, political opinions, professional, political, or religious affiliations or memberships, sexual orientation or practices, criminal record, and health, genetics, and/or biometrics

When an incident related to personal information occurs, the Notifiable Data Breaches Act of 2017, which came into effect in 2018, outlines clear incident response guidelines.

What Qualifies as an Eligible Data Breach

An eligible data breach is any instance of (1) unauthorized access to or disclosure of personal information, or cases in which information is lost and the circumstances are likely to lead to unauthorized access or disclosure, that is (2) likely to result in serious harm to the individuals and (3) where the organization can not take any remedial action prevent the likely risk of serious harm.

The OAIC defines “serious harm” as any physical, psychological, emotional, financial, or reputational harm to an individual. The commission recommends organizations consider the type of data involved in the breach, as certain types of information (i.e. sensitive information), may be more likely to cause harm than others.

Organizations should determine if a breach requires notification by completing an investigation within 30 days of discovering the incident.

How to Issue a Notification Following an Eligible Data Breach

Who to notify

Organizations have three options and can choose whichever is most practical:

  • Notify all individuals affected in the breach
  • Notify only those individuals who are at risk of serious harm
  • Post a notification on their website and take reasonable steps to publicize that content (*note that the commission only recommends this option when the first two are not practical)

How to issue the notification

Organizations can use any notification method as long as it is likely to reach affected individuals, including telephone calls, SMS messages, physical mail, or email. The OAIC recommends organizations use their usual method of communications, which may vary across individuals.

What to include in the notification

  • Identity and contact details for the organization
  • A description of the eligible data breach that occurred
  • The type of information involved in the breach
  • Recommendations about what steps individuals should take in response to the breach

Exemptions from issuing a notification

  • Cases relating to enforcement activities, if it would create a prejudice against that entity’s enforcement work (but a statement to the OAIC is still required).
  • Instances of inconsistency with secrecy provisions in Commonwealth laws, though organizations should only apply this rule to the extent necessary to avoid conflicts.
  • A declaration by commissioner in cases where the OAIC decides the risks associated with issuing a notification outweigh the benefits of notifying individuals.
  • Breaches that are notified under the My Health Records Act to avoid issuing a duplicate notice.

Examples of Incidents That Can Trigger a Notification Under the Australian Privacy Act

Any incident that qualifies as an eligible data breach will trigger a notification under the Australian Privacy Act. Some of the most common examples include:

Phishing malware or trojan

Trojan Attack

When a hacker installs a malicious program inside of another program users would access for legitimate purposes, creating a backdoor to monitor users’ digital behavior and access their information.

watering hole

Watering Hole Attack

A social engineering attack that typically targets highly secure organizations in which hackers profile their intended victims to identify the websites they regularly visit and infect those sites to gain access to their computers.

open-lock

Lost or Stolen Data

Instances of lost or stolen data qualify as an eligible data breach if the situation is likely to lead to unauthorized access or disclosure that can cause harm to individuals, regardless of whether the loss was accidental.

How Organizations Can Prepare for the Australian Privacy Act

The OAIC recommends that all organizations prepare proactively by having incident response plans in place. This proactivity both ensures compliance and can reduce the potential penalties if an incident does occur. In developing these plans, organizations should focus on three essential areas of incident response:

3 Critical Phases of Incident Response

Readiness

Prepare to quickly and confidently respond when an incident occurs, which is important for meeting Australia’s guidelines around conducting an investigation within 30 days and issuing a notification promptly if needed. To do so, organizations must detail requirements in applicable laws and contracts and outline incident response plans accordingly.

Response

Put response plans into motion as quickly as possible when an incident occurs to meet Australia’s tight timelines and attempt to alleviate the risk of harm. To do so, organizations need to investigate what happened (when it happened, what data was involved, who was affected, what is the risk of harm), determine if the incident requires a notification, and take remedial action to correct the issue and reduce any potential harm.

Ongoing Management

Approach incident response planning as an ongoing effort by keeping plans up to date as potential threats and regulatory requirements change over time. To do so, organizations should introduce a centralized dashboard for all monitoring, reporting, and response plans and give stakeholders visibility into that dashboard to promote awareness and alignment.

Now is the Time to Prioritize Proactive Incident Response

The Australian Privacy Act has already changed considerably since it first came about in 1988 and recent amendments suggest more changes are coming. Combined with the fact that data breaches are now inevitable, organizations must prioritize proactive incident response.

To prioritize proactive incident response, organizations must stay up to date on regulations like the Australian Privacy Act, determine who will be responsible for security, implement response plans that can be put into action at any time, and update those plans regularly as regulatory, contractual, and privacy needs continue to change.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.