AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
be with certified service providers. However, this policy requirement is not restricted to “strategic level” certification per the SOCI Act. Under this framework, there are three certification “strate - gic”, “assured” and “uncertified”. Depending on a government department’s risk profile and data set, they may contract with a “Certified Assured Service Provider”. 6. Cybersecurity in Other Regulations 6.1 Cybersecurity and Data Protection The Privacy Act Scope Federally, data containing personal information is protected under the Privacy Act, which regu - lates the handling of this information by “APPs entities”. At this juncture, it is important to note two defi - nitions. • “Personal information” under the Privacy Act is defined broadly as information or an opin - ion about an identified or reasonably identifi - able individual. It is not required to be true or recorded in a material form. Personal infor - mation also includes “sensitive information”, which includes information or opinions on an individual’s race, ethnicity, politics, religion, sexual orientation, health, trade associations and criminal records. Sensitive information is often afforded a higher level of protection than other personal information. • “APP entities” are, subject to some excep - tions, federal government agencies, private sector organisations with an annual turnover of over AUD3 million and smaller entities with data-intensive business practices (including private health providers, businesses that sell
or purchase personal information and service providers to the federal government). Schedule 1 of the Privacy Act contains 13 APPs, which are minimum standards for processing and handling personal information by APP enti - ties. The Privacy Act also requires mandatory reporting for certain APP breaches under the NDB scheme. Breaches of the Privacy Act may result in investigation and enforcement action by the OAIC. Reporting obligations (the NDB scheme) The NDB scheme requires APP entities to notify both affected individuals and the OAIC where there are reasonable grounds to believe that an “eligible data breach” has occurred. In short, as per Section 26WE(2) of the Privacy Act, an “eli - gible data breach” occurs where: • there is unauthorised access to/disclosure of personal information and a reasonable person would conclude that this “would be likely to result in serious harm to any of the individuals to whom the information relates”; or • personal information is lost in circumstances where a reasonable person would conclude that unauthorised access to/disclosure of it is likely to occur and, were it to occur, it “would be likely to result in serious harm to any of the individuals to whom the information relates”. However, Section 26WF of the Privacy Act cre - ates an exception to reporting such an incident, where the entity in question takes remedial action to ensure that the breach does not cause serious harm to the individuals concerned. Notably, specific data breaches related to certain health records are excluded from this scheme and are to be addressed under Section 75 of the
26
CHAMBERS.COM
Powered by FlippingBook