The Federal Government released a discussion paper and an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 yesterday for public consultation.
The Exposure Draft, if introduced, may have significant impacts on your business, and we urge you to consider making a submission.
It will require entities to notify "serious data breaches" to affected individuals and the Australian Information Commissioner. A "serious data breach" is one that creates "a real risk of serious harm" to the affected individuals.
The new obligation will apply to entities who are bound by the Privacy Act, namely Federal Government agencies and most private sector organisations with a turnover above $3M, and to the kinds of information already regulated under the Act such as "personal information".
The Federal Government intends to consult extensively with industry and stakeholders on the Exposure Draft. There is therefore an opportunity to ensure that costs and regulatory impacts of the changes are minimised. Submissions on the Exposure Draft and the accompanying explanatory memorandum and early assessment regulatory impact statement are sought by the Government by 4 March 2016.
Background to the Serious Data Breach Notification Bill
In response to the February 2015 inquiry of the Parliamentary Joint Committee on Intelligence and Security, the Government agreed to introduce a mandatory data breach notification scheme. The underlying reason behind the introduction of the Exposure Draft is to ensure that individuals can take remedial steps in the event that their personal information is compromised. By doing so, potential adverse consequences (including financial loss or identity theft) can be avoided where possible.
While businesses who are subject to the Privacy Act 1988 (Cth) are currently subject to a requirement to protect personal information from misuse, interference and loss, unauthorised access, modification and disclosure under Australia Privacy Principle 11 (APP 11), they are not subject to a mandatory data breach notification requirement under the Privacy Act.
Structure of the Data Breach Notification Bill
The Exposure Draft would amend the Privacy Act to insert a new Part IIIC, within which the concept of a "serious data breach" would be inserted. Under the scheme, notification would be required if there are reasonable grounds to believe that a serious data breach has occurred. If an entity suspects but is not certain a serious data breach has occurred, the entity has 30 days to assess if notification is required.
The notification obligation applies to the Commissioner and affected individuals. Entities notifying affected individuals will be required to take such steps (if any) as are reasonable in the circumstances to notify each affected individual. Where it would not be practicable to notify each affected individual, the entity is required to publish a notice about the data breach on the entity's website and take reasonable steps to publicise the notice.
The scheme establishes certain exemptions, including where notifications would be contrary to the public interest (public interest exception). Entities must apply to the Commissioner for a public interest exemption. While the Commissioner considers the application for an exception, the obligation to notify would be suspended.
While similar to the previous Bills tabled in 2013 and 2014, the Exposure Draft differs in some respects from those Bills. For example, the definition of harm in the Exposure Draft includes harm to reputation, economic harm and financial harm, however also includes physical, psychological and emotional harm. It also provides that the term "as soon as practicable" includes the time taken to carry out a reasonable assessment so long as that assessment is carried out within 30 days.
The proposed Serious Data Breach Notification Bill compared to overseas regimes
The Discussion Paper compares the Exposure Draft to data breach notification schemes in overseas jurisdictions. The establishment of a notification threshold that requires a "serious data breach" to have occurred before notification is required looks to avoid "notification fatigue" for individuals and prevent unnecessary administrative costs for businesses. Under the current voluntary data breach notification scheme, the Office of the Australian Information Commissioner received 2841 privacy complaints and 110 notifications over the 2014-15 period (according to its 2015 Annual Report).
Consequences for non-compliance
Businesses who fail to comply with the provisions risk enforcement action including potential civil penalties for serious or repeated infringements. Under the Exposure Draft, a business would not be compliant with their notification obligations where they are not aware of a serious data breach however they reasonably should have detected it.
Guidance material is expected to be issued by the Commissioner to help businesses comply with the requirements to identify where "serious data breaches" have occurred. This would be in addition to the list of matters that businesses should have regard to in determining whether there is a real risk of serious harm which would be inserted in the Privacy Act under the Exposure Draft.
Next steps in developing the Serious Data Breach Notification regime
The Bill would commence 12 months after the Bill receives Royal Assent unless a date is fixed by Proclamation.
You should consider the Exposure Draft, explanatory memorandum and regulatory impact statement and how it would apply to your business.
If you would like to make a submission, you must do so by 4 March 2016.