Employers will soon have an obligation to report serious privacy breaches. This includes all privacy breaches believed to cause (or likely to cause) serious harm to an affected employee, or employees. A failure to do so will result in an offence with a fine up to $10,000.

This is a significant change. It flips the current privacy-related obligations of employers on its head and puts pressure on employers to get it right.

What is a notifiable privacy breach?

The Act states that to be “notifiable”, a privacy breach must cause (or be likely to cause) “serious harm”.

“Serious harm” may seem like an ambiguous term, but thankfully the new Act offers some direction. When making an assessment, employers should consider the following:

  • Any action taken by the employer to reduce the risk of harm following the breach.

  • Whether the personal information is sensitive in nature.

  • The nature of the harm that may be caused to affected individuals (employees).

  • The person or body that has obtained or may obtain personal information because of the breach (if known).

  • Whether the personal information is protected by a security measure.

  • Any other relevant matters.

The “serious harm” threshold draws from our Australian counterparts, so guidance from the Office of the Australian Information Commissioner may be helpful. In time, we can also expect further guidance on this from the Courts. In the meantime, we suggest employers take a cautious approach and report all breaches that cannot clearly be said not to cause serious harm. If it looks and feels serious, it probably is.

How to handle a notifiable privacy breach

So, you or your employees have found a privacy breach you consider notifiable, now what? Now you turn to the privacy policies and processes you have in place. When preparing your policies, consider the following:

  1. Who will my staff report to if they discover a notifiable privacy breach?

  2. Who will report to the Privacy Commissioner, and affected employee or employees, if a notifiable privacy breach occurs?

  3. What systems will be put in place to avoid risk? For example, naming documents a certain way to ensure the right documents are always sent to the right people.

  4. How will we make sure our policies and processes are being followed? For example, all devices should be password protected, and physical documents left in the office at night.

  5. Who in the workplace will be responsible for, and able to manage, the above? Every business must have a workplace privacy officer. This will be the person your staff report to and the person who notifies the required people, if a notifiable privacy breach occurs.

This new requirement is at the heart of the new Act, and accordingly we expect the commissioner to take notification, and failures to notify, very seriously.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.