With the ever increasing collection and electronic retention of personal information across both the public and private sector, it is hardly surprising that data security breaches are also becoming more common.
Many countries have already established legislative frameworks which require the mandatory reporting of data security breaches. Such laws require organisations to notify appropriate regulators, as well as affected persons or bodies, where there has been unauthorised access to, or disclosure of, personal information.
In Australia, there is no law requiring privacy breaches to be reported at this point in time. While government bodies are bound by privacy principles relating to data security, either under Commonwealth or State based privacy laws, there is no obligation to notify a regulator of a breach.
Recently, the Australian Government has proposed the introduction of a mandatory data breach notification scheme (Proposed Scheme) to be enacted into the Privacy Act 1988 (Cth) (Privacy Act).
In December 2015, the Attorney General released a draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) for public comment. More than 40 submissions were received. In April 2016, the Government indicated it intended to introduce a version of the Bill into Parliament. However, this did not occur before Parliament was dissolved for the upcoming election.
The Proposed Scheme is as follows:
- it applies to bodies subject to the Privacy Act, which includes Commonwealth government bodies.
- it requires such bodies to notify the Office of Australian Information Commissioner and affected individuals of serious data breaches.
- notification must be provided ‘as soon as practicable’ upon becoming aware there are reasonable grounds to believe that there has been a serious data breach. A body has 30 days from becoming aware to carry out an assessment of whether there are reasonable grounds to believe a serious data breach has occurred.
- serious data breaches involve the compromising of:
- personal information
- credit reporting information
- credit eligibility
- tax file number information
which puts any individual to whom the information relates at ‘real risk of serious harm’.
- there is a penalty for non-compliance (maximum $1.8 million).
The Proposed Scheme will only apply to information regulated under the Privacy Act. As such, it will not apply to State or Territory government departments and agencies or local councils.
Neither the privacy laws in Victoria nor New South Wales require mandatory reporting. However, the NSW Privacy Commissioner last year called for the Privacy and Personal Information Protection Act 1998 (NSW) to provide for mandatory notification of serious breaches of privacy by a public sector agency.
In Victoria, the former Privacy Commissioner released a Guide on Responding to Privacy Breaches (May 2008). This Guide provides there are four key steps to consider when responding to a privacy breach or suspected breach:
- breach containment and preliminary assessment
- evaluation of the risks associated with the breach
The Guide states the decision on how to respond should be made on a case-by-case basis. The speed and adequacy of an organisation’s response to a serious privacy breach may significantly reduce the cost to the organisation later, both financially and from potential loss of reputation.
With respect to step (3) notification in particular, the Guide provides:
- An assessment of the type of personal information involved will help an organisation determine how to respond to the breach, who should be informed (including the Privacy and Data Protection Commissioner) and what form of notification to the individuals affected, if any, is appropriate.
For example, if a laptop containing adequately encrypted information is stolen, subsequently recovered and investigations show that the information was not tampered with, notification to individuals may not be necessary.
- Also of key relevance is what loss, damage or risk of harm to the individuals could result from the breach. An organisation should consider whether to seek advice from a specialist third party such as a health professional when assessing foreseeable harm to an individual.
Examples of harm include security risk (e.g. physical safety), identity theft, financial loss, loss of business or employment opportunities, and injury to an individual’s feelings, humiliation, damage to reputation or relationships.
- If a privacy breach creates a risk of harm or loss to the individual, those affected should be notified. For example, third parties may be affected if they are required to cancel their credit cards or if organisations have to assign new unique identifiers or issue new forms of identity. Prompt notification to individuals in these cases can help them mitigate the damage by taking steps to protect themselves. The challenge is to determine when notice should be required. Each incident needs to be considered on a case-by-case basis to determine whether privacy breach notification is required. In some exceptional cases, notification may cause more harm than it would alleviate.
It seems inevitable that the Australian government, if not also its States and Territories, will soon implement mandatory reporting of serious data breaches. If this occurs, government bodies will be required to create new procedures for ensuring they can comply with any new reporting regime.
Even without such mandatory reporting regimes, government bodies should consider the potential impact that a data breach may have on third parties in determining what action should be taken, including notification of those third parties and the relevant regulator.