If you weren't aware, you need to know that the Privacy Act 1993 has been updated and replaced by the new Privacy Act 2020 (the Act) which comes into force on and from 1 December 2020.
This new act updates the old act, and is intended to give us confidence that our personal information is secure and will be treated properly in an increasingly digital and data-rich society. One of the key changes in the Act to help achieve this purpose is the introduction of a mandatory reporting regime for ‘notifiable' privacy breaches.
A notifiable privacy breach is defined in the Act as:
a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so; but
does not include a privacy breach if the personal information that is the subject of the breach is held by an agency who is an individual and the information is held solely for the purposes of, or in connection with, the individual’s personal or domestic affairs.
Under the Act, anything relating to a notifiable privacy breach that is known by an employee or a member of an agency is to be treated as being known by the employer or agency.
There will be mandatory reporting required of privacy breaches and the penalties of up to $10,000 for failing to notify the Privacy Commissioner of a breach.
If you have a breach of privacy you must notify the Privacy Commissioner and the affected individuals as soon as practicable on becoming aware of the breach. You should notify the individuals directly, however if this is not practicable, then you should issue a public notice advising of the privacy breach.
Watch the Privacy Commission's website for further advice on the new Act.