Two helpful new precedents have been added to the By Lawyers Practice Management guide to assist law firms required to make Privacy Act notifications to the Office of the Australian Information Commissioner.
The Office of the Australian Information Commissioner has indicated that it considers law firms are subject to the mandatory disclosure provisions.
Privacy Act notifications are required where data breaches are likely to result in ‘serious harm’ to clients. These must be promptly reported to the OAIC and to the affected clients.
Notification is mandatory if the firm is aware of reasonable grounds to believe an eligible data breach has occurred. Firms becoming aware of a breach must make a rapid assessment, remediate if possible, then notify if required, without delay.
There is no specified form of notification to the affected individuals. A precedent is now provided on the matter plan – see Letter to client re Privacy Act data breach notification.
Notification to the Office of the Australian Information Commissioner should be done via the online Notifiable Data Breach form on the OAIC’s website, also linked to from the matter plan. However, sometimes the very data breach which requires the notification to be made can also make reporting online impossible. To assist in such circumstances, a precedent letter is now provided on the matter plan where the online form cannot be accessed – see Letter to OAIC re Privacy Act data breach notification.