Proctor : March 2018
12 PROCTOR | March 2018 RIGHT NOW, LAWYERS ARE RETURNING TO LAW SCHOOL TO ENHANCE THEIR EXPERTISE Take your law career to the next level with a postgraduate Master of Laws qualification. At Bond University, you can finish your program in just eight months of full-time study or 15 months part-time by taking advantage of our three- semesters-per-year timetable. Study online, study on-campus or combine the two. With specialisations available, Bond’s Master of Laws offers law graduates the opportunity to advance their career within a global context. bond.edu.au/LLM CRICOS Code 084235G CRICOS Provider Code 00017B If neither of these actions is practicable, the firm must publish the statement on its website and take reasonable steps to publicise its contents. Are there exceptions? There are limited circumstances in which a data breach need not be reported, although practitioners should consider the situation thoroughly before deciding that no further action need be taken; the consequences of misapplying exceptions could be disastrous. The exception most pertinent to the operation of a law firm is that provided for if remedial action is taken. S26WF (1) provides an exception if access to, or disclosure of, information to which this Act applies, providing the entity: • takes remedial action • the action is taken before serious harm is done, and • the action is taken soon enough that a reasonable person would conclude serious harm was unlikely to occur. If those criteria are fulfilled, the disclosure is taken never to have been an eligible data breach. In our scenario above, for example, if the lost phone was remotely deleted before anyone managed to access it, it is likely no breach would have occurred. Several other exemptions are allowed in the legislation, which are more likely to relate to client breaches than law firm breaches. A detailed consideration of these exceptions is beyond the scope of this article, but in short compass they are as follows: • Enforcement related activities: s26WN provides a general exception if compliance with the reporting provisions of the part would prejudice one or more enforcement-related activities conducted by, or on behalf of, the enforcement body. • Inconsistency with secrecy provisions: s26WP provides a general exception if compliance with the reporting provisions of the part would, to any extent, be inconsistent with a secrecy provision (other than a prescribed secrecy provision). • Declaration by Commissioner: s26WQ gives the Commissioner power to declare that ss26WK and s26WL do not apply to a given breach, or to extend time for compliance with s26WL. • My Health Records Act 2012: s26WD provides an exception if a breach has been, or is required to be, notified under section 75 of the My Health Records Act 2012. What are the consequences of failing to act? Failure to comply with the new regime will be considered an interference with the privacy of an individual. A law firm which is found to have done this will be liable to significant penalties, including fines of up to $2.1 million. Such fines would be terminal for many law firms, which underscores the importance of understanding and complying with the reporting regime. Prudent preventative actions Few practice risks lend themselves as readily to the mantra ‘prevention is better than cure’ than the data breach reporting regime, and practitioners must be proactive in addressing this risk. The following suggestions are not a panacea but may assist in reducing the risk of a notifiable breach. • Deliberate disclosure: If a client wishes you to disclose personal information, ensure that consent to do so is informed and in writing.