Significant amendments to the Privacy Act 1988 (Cth) will come into effect on 22 February 2018.
Pursuant to these amendments, subject entities will be required to notify the Office of the Australian Information Commissioner if there has been, or that entity has reasonable grounds to believe that there has been, an ‘eligible data breach’.
The notifiable data breach requirements are not just limited to ‘APP Entities’ under the Privacy Act 1988 (Cth). These requirements apply equally to all entities including tax ‘file number recipients’, which are defined as persons in possession or control of a record that contains tax file number information. The requirements therefore extend to entities with an annual turnover of less than $3,000,000.00 even though they, as a general proposition, are not required to comply with the Australian Privacy Principles.
Therefore, in additional to all ‘APP Entities’, any entity or person who is, or may be, in possession of tax file number information about their clients, customers or any other persons, will be a ‘file number recipient’ and be required to comply with the notifiable data breach requirements (regardless of their annual turnover), subject to any available exceptions. This is in addition to existing obligations of holders of tax file numbers, including those set out in the Privacy (Tax File Number) Rule 2015 (Cth).
In anticipation of these changes we recommend that all ‘APP Entities’ review their privacy policies, practices, and statements to ensure that they are compliant with these new requirements.
Similarly, we recommend that entities which have a turnover below the $3,000,000.00 threshold which are, or may be, in possession or control of a record that contains tax file number information consider what policies, statements, practices and procedures they may need to have in place to ensure that they are compliant with the notifiable data breach requirements. It would be prudent to do so even if they are not required to have a formal privacy policy under Australian Privacy Principles. Such policies (howsoever described) should also have regard to the obligations imposed by the Privacy (Tax File Number) Rule 2015 (Cth) more generally.
More Information is available on the Notifiable Data Breaches scheme here, and more information obligations regarding tax file numbers more generally is accessible here.
Please do not hesitate to contact our expert team for assistance if we can be of any assistance in this regard.