Filed under Legal Post. Parliament passes Digital Privacy Act introducing significant fines and mandatory breach notifications. The Digital Privacy Act became law on June After fiasco of lottery system that angered prospective retailers, province clears way to remove cap on number of private cannabis stores.
Comments Postmedia is pleased to bring you a new commenting experience. What is personal information? Is my organisation subject to the Privacy Act? What are my obligations under the new law?
What are the penalties for not complying? Domaine de pratique: Protection des données, protection des renseignements personnels et cybersécurité Secteur: Technologie et innovation. Nick Abrahams.
Norton Rose Fulbright launches first Australian law firm chatbot to help manage data breach
Bernard O'Shea. Jim Lennon. Or their parents? Similar questions will arise for mass-market apps that are attractive to all kinds of audiences.
Understanding the Australian Notifiable Data Breach Scheme
The Act introduces a new set of obligations with respect to breaches of security safeguards or a failure to establish those safeguards. These will not be in force until the government crafts implementing regulations following a consultation with stakeholders and the Office of the Privacy Commissioner.
No timeline has been provided for the implementing of any regulations. Once these provisions come into force, organizations will be required to report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
Organizations will also be required to notify a potentially affected individual of such breach, using a similar threshold.
Further, an organization encountering a breach will have additional reporting obligations to other organizations and government institutions if the breached organization believes the other organizations may be able to reduce their risk of harm as a result.
The Act introduces liability for knowingly violating the notification requirements.
New penalty regime under the privacy act
The new Act now provides the Commissioner with the right to make public any information that comes to his or her knowledge in the performance or exercise of any of his or her duties or powers as well as information in security breach notifications to the Commissioner. This is likely to make organizations much less willing to make a full and frank disclosure to the Commissioner. In addition, organizations dealing with the Commissioner will now have to be concerned about ensuring their trade secrets and confidential information are adequately protected potentially through sealing orders or similar mechanisms as well as ensuring that, by providing information to the Commissioner, they are not in violation of their agreements with third parties or requests made by law enforcement.
Of note, consent will not be required to:. The final provision is particularly welcome in transactional contexts where the vendor has not obtained the consents to share personal information for due diligence purposes in a deal.
While courts have occasionally issued orders to permit such disclosures, this has always been a cumbersome and uncertain process for parties to a transaction.