Organisations subject to the Privacy Act 1988 (Cth) may receive a penalty for privacy breaches. However, can a director also be personally liable for a privacy breach?
What does the Privacy Act say?
The Notifiable Data Breaches (NDB) scheme, introduced on 22 February 2018, requires organisations subject to the Privacy Act to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.
Serious or repeated failure to comply with the Privacy Act, or interference with an individual’s privacy, may result in civil penalties of up to 2,000 penalty units (approximately $420,000).¹ A failure by an entity to meet any of the requirements of the NDB scheme is an interference with the privacy of an individual.² Legislative amendments are currently being drafted to raise the amount of fines for failure to resolve minor privacy breaches (see New Privacy Laws to be introduced in 2019).
The OAIC is also required, in most circumstances, to investigate a complaint made by an individual about an interference with the individual’s privacy,³ which would include a failure to notify an individual at risk of serious harm of an eligible data breach where required to do so.
The Australian Competition and Consumer Commission’s (ACCC) most recent report calling for higher penalties for breaches of the Privacy Act and the introduction of a new privacy code for digital platforms has been accepted outright by the government.
Directors owe a duty of care care, skill and diligence to their company. This is reinforced by section 180(1) of the Corporations Act 2001 (Cth).
While the Privacy Act grants Courts the power to impose civil penalties for contraventions of the NDB scheme on corporations only, regulators are taking a wider approach to hold directors personally liable for failing to observe a company’s breaches of the Privacy Act and non-compliance with the new NDB scheme. Under the ASIC Act,⁴ a body corporate could be fined a maximum of 10,000 penalty units ($2,100,000).
As an example, HealthEngine, Australia’s biggest medical appointment booking app, is currently facing multi-million-dollar fines from the ACCC for selling patient data to law firms and insurance brokers in exchange for payments. The Company also faces separate investigations by the OAIC and the Australian Digital Health Agency. Time will tell if the company’s directors themselves will be held personally liable for allegations of such serious misuse of patient data.
A director’s failure to implement compliance procedures for data and privacy protection may constitute a breach of their duty of care, skill and diligence owed to the company.
Directors, therefore, need to ensure that the company’s privacy policies, cyber security measures and appropriate data breach notification training are in place to comply with the Privacy Act and fulfill their directors’ duties.
DISCLAIMER: We accept no responsibility for any action taken after reading this article. It is intended as a guide only and is not a substitute for the expert legal advice you can get from marshalls+dent+wilmoth and other relevant experts.
¹ Privacy Act s13G.
² Privacy Act s13(4A).
³ Privacy Act s36.
⁴ ASIC Act 2001 (Cth) s12GB(3).