As of 22 February 2018, new privacy laws took effect in Australia mandating the reporting of eligible privacy and data breaches to the Office of the Australian Information Commissioner (OAIC) and impacted individuals. The new Notifiable Data Breaches (NDB) scheme brings Australia in line with other jurisdictions that already have mandatory reporting requirements, and resonates with the GDPR, which also comes into force in a couple of months (25 May 2018).
New Zealand businesses who trade across the ditch, or otherwise collect or hold personal information in Australia, will have to comply with the NDB Scheme. The OAIC has published guidance notes in relation to the NDB Scheme, including how organisations might deliver notifications, and what to do after a data breach notification, to help organisations comply.
New Zealand law is following close behind. In the wake of Uber's worldwide data breach being uncovered in November last year, the New Zealand Privacy Commissioner indicated that local laws need to keep up with international developments. While New Zealand privacy law does not presently require agencies to notify data breaches, the Privacy Commissioner has recommended a number of amendments to be included in a Privacy Bill currently being drafted, including:
- mandatory reporting of serious data breaches, similar to the Australian NDB scheme;
- a civil penalty provision to allow the Commissioner to apply to the High Court for a civil penalty for serious breaches, of an amount which could be up to $1 million for companies; and
- a “data portability” right, being a right for an individual to receive their personal information in a usable electronic format, to facilitate the easy transfer of services from one provider to another.
Until the new Privacy Bill is released, NZ businesses can keep a close eye on how the NDB scheme is implemented across the Tasman, and particularity how Australian businesses respond to the new requirements.
The NDB scheme mandates that Australian Government agencies and the various organisations with obligations to secure personal information under the Privacy Act 1988 (Cth) (Privacy Act) notify individuals affected by data breaches that are likely to result in serious harm.