The new law, which the Pharmacy Guild says will apply to most community pharmacies, could see businesses that fail to report a breach face fines of up to $1.8 million

The Privacy Amendment (Notifiable Data Breaches) Act 2017, which introduces mandatory data breach notification provisions for entities regulated by the Privacy Act, comes into effect on 22 February 2018.

The data breach law, which the Pharmacy Guild says will apply to most community pharmacies, means the Australian Information Commissioner and people compromised by any “eligible data breach” must be notified.

“The [Notifiable Data Breaches] scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm,” explains the Office of the Australian Information Commissioner.

“This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner must also be notified of eligible data breaches.”

The aim behind the law is to improve the privacy protection of Australians in the event of a data breach without creating an unreasonable regulatory burden for businesses, explains the Guild in its latest issue of Forefront.

Businesses that fail to report a breach will face fines of up to $360,000 for individuals and $1.8 million for organisations, says the Guild.

The Office of the Australian Information Commission says an eligible data breach arises when the following three criteria are satisfied:

  1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
  2. This is likely to result in serious harm to one or more individuals; and
  3. The entity has not been able to prevent the likely risk of serious harm with remedial action.

Data breaches that are notified under s 75 of the My Health Records Act 2012 do not need to be notified under the Notifiable Data Breaches scheme – an exception intended to avoid duplication of notices under the scheme and the data breach notification requirements in the My Health Record system.

It is important to ensure compliance with the new law, including by implementing processes to meet the various assessment and notification requirements, explains PricewaterhouseCoopers in a report on the legislation.

“With greater volumes of data comes greater risk of damage through disclosure or misuse. This is particularly so with personal information,” says PwC in its report.

“Not only is there potential damage to the individuals concerned (whether that damage is financial, reputational, emotional or otherwise), but the digital economy necessarily relies on trust.

“Accordingly, various governments favour mandatory data breach reporting, amongst a suite of other initiatives, to bring accountability and transparency to organisations holding personal information.”

The Guild will be providing further information to support members in their obligations under the Notifiable Data Breaches scheme in coming weeks.

Further information is available on the Notifiable Data Breaches Scheme webpage.