The Notifiable Data Breach scheme, established by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), commenced on 22 February 2018. Broadly, the scheme provides that companies must take reasonable steps to notify all potentially affected individuals of an eligible data breach, and report the breach to the Office of the Australian Information Commissioner.

One month on from the commencement of the scheme, Svitzer Australia has reported a notifiable data breach involving the personal information of approximately half of its employees. This breach is one of the first to be notified under the new laws.

This breach occurred over a period of nearly 11 months, and involved the auto-forward function which saw emails from three employee accounts being automatically forwarded to an external source. Investigations are currently being undertaken, but it has been confirmed that the leaked information may include employee information such as tax file numbers and superannuation details.

What is the risk?

Apart from the risk of business disruption, loss of faith by employees, customers and service providers, and potential claims by those affected, businesses operating in Australia now face significant penalties if they don't have in place sufficient systems to prevent, detect and report on cyber security data breaches.

But these were employee records. Does this mean employers cannot rely on the employee records exemption?

It is well established that the Privacy Act 1988 (Privacy Act) contains an exemption whereby the handling of personal information by a private sector employer does not trigger the application of the Privacy Act if it directly relates to an employee's current or former employment relationship.

However, the question of whether employee records are exempt from the reach of notifiable data breaches is less clear.

In circumstances where personal information is not captured under the employee records exemption, the requirements under the Privacy Act must be complied with. For example, information in relation to prospective employees, independent contractors, work experience students or other volunteers will not be captured by the exemption.

Further, information which does not directly relate to an employee's employment may also be captured by the Privacy Act.

The types of information disclosures which would not directly relate to an employee's employment is a grey area, and caution should be exercised.

Key takeaways

  • Do not consider the employee records exemption as a blanket protection. If in doubt, seek further advice or notify!
  • Organisations should be prepared in the event that a data breach occurs. Ensure your data breach policies and notification plans are up to date.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.