Employers will soon have an obligation to report serious privacy breaches.
This includes all privacy breaches believed to cause (or likely to cause) serious harm to an affected employee, or employees. A failure to do so will result in an offence with a fine up to $10,000.
This is a significant change. It flips the current privacy-related obligations of employers on its head and puts pressure on employers to get it right.
What is a notifiable privacy breach?
The Act states that to be “notifiable”, a privacy breach must cause (or be likely to cause) “serious harm”.
“Serious harm” may seem like an ambiguous term, but thankfully the new Act offers some direction. When making an assessment, employers should consider the following:
The “serious harm” threshold draws from our Australian counterparts, so guidance from the Office of the Australian Information Commissioner may be helpful. In time, we can also expect further guidance on this from the Courts. In the meantime, we suggest employers take a cautious approach and report all breaches that cannot clearly be said not to cause serious harm. If it looks and feels serious, it probably is.
How to handle a notifiable privacy breach
So, you or your employees have found a privacy breach you consider notifiable, now what? Now you turn to the privacy policies and processes you have in place. When preparing your policies, consider the following:
This new requirement is at the heart of the new Act, and accordingly we expect the commissioner to take notification, and failures to notify, very seriously.
Questions? Please get in touch with our experts today