New Guide – Data Breach Notification
On 30 April 2012 the Office of the Australian Information Commissioner (OAIC) released its updated Guide to handling personal information security breaches entitled ‘Data Breach Notification’.1 This Guide is an update of the ‘Guide to Handling Personal Information Security Breaches’, first issued in 2008. The main aim of the Guide is to provide guidance to organisations as to how they should respond to a data breach, including what steps they should take, and risks they should consider when responding. It is useful to note at this point that whilst the Guide is a best practice guideline, as opposed to mandatory, the OAIC strongly recommends compliance with it, as such compliance is likely to decrease the risk of an organisation breaching its obligations under the Privacy Act 1988 (Cth).
Data breach incidents have been a growing area of activity for the OAIC which received notifications from 56 organisations and government agencies subject to such incidents in the 2010/11 year.2
Obligation to notify?
The change in title, and the updates to the Guide, indicate that the OAIC is placing increased emphasis on organisations proactively notifying data breaches to affected individuals and other relevant parties, such as the OAIC itself.
This approach is consistent with the Australian Law Reform Commission (ALRC) recommendation that the Privacy Act be amended to impose a mandatory obligation to notify the Privacy Commissioner (now part of the OAIC) and affected individuals in the event of a data breach that could give rise to ‘a real risk of serious harm to affected individuals’. The OAIC notes in the Guide its strong support for this recommendation. Many parts of the US and the EU already have data breach notification laws in place, and a number of other countries have also been adopting or considering them in the last couple of years.
A key theme in the updated Guide is that notification where there is a real risk of serious harm is good privacy practice. While notification of a data breach in accordance with the Guide is not specifically required under the Privacy Act, notification will, in certain circumstances, assist an organisation in complying with its obligations under the Privacy Act. The OAIC does appear to make stronger links in the updated Guide between the failure to notify and have data breach policies and response plans, and the potential breach of Privacy Act obligations to protect the security of personal information.
Some might also say that the emphasis on notification is reflective of community expectations in relation to data breaches, ie individuals expect to be notified if something has happened to their personal information that could result in harm to them (eg identify theft). One only needs to recall the Sony PlayStation data breach of April 2011, (which affected the personal details and credit card details of approximately 715,000 Australian consumers and many more worldwide), where Sony was criticised in the media for taking a week to tell consumers that their details had been compromised. The media interest in data breach stories highlights the serious public relations issues that accompany these incidents, and the updated Guide now refers ‘rebuilding public trust’ as one of the potential benefits of notification.
Data Breach Policy and Response Plan
The updated Guide also has an increased emphasis on data breach policies and response plans. Depending on the circumstances the OAIC considers that the preparation and implementation of such policies and plans may be required to comply with Privacy Act requirements to take ‘reasonable steps’ to protect personal information from misuse and loss and from unauthorised access, modification or disclosure.
As a part of this increased emphasis the OAIC has fleshed out some additional points that it considers should be part of an organisation’s data breach policy and response plan:
- Establish a breach response team – include representatives from relevant areas that may need to investigate a data breach, conduct risk assessments and make appropriate decisions (eg senior management, IT, public relations and legal).
- Internal communication and training – ensure staff in relevant areas are trained to identify a potential or actual data breach, know how to respond to data breaches effectively and are aware of relevant policies and procedures relating to data breaches.
We are seeing more and more data breaches being reported because of massive leaps in the amounts of data being stored electronically, sent via the internet, and the increasingly networked and portable nature of data storage.
Technologies such as smartphones, cloud computing, tablet devices, online services, social media, remote access and flash drives are all playing a part in data breach incidents. With these trends continuing to increase, organisations and government agencies should review their procedures in relation to the collection, storage and handling of personal information and other sensitive data to minimise the risk of a data breach and to ensure they are well-placed to respond if a breach occurs.
As a part of this review organisations should ensure that they become familiar with the latest Guide and action the points below:
- review and update internal policies and procedures relating to privacy, data security and data breaches in light of the revised Guide.
- consider putting in a place an appropriate data breach policy and response plan, including setting up a breach response team and training staff in the new policies and plan.
- review external privacy policies to address how data breaches are dealt with.
Privacy complaints checklist
In addition to the launch of the revised Guide the OAIC has released a new Fact Sheet entitled ‘Guide to Internal Investigations’3. This Fact Sheet sets out a checklist designed to assist organisations in addressing privacy complaints.
Amendments to Privacy Act to be introduced during the Winter sitting of Parliament
Yesterday the Attorney-General announced that the Australian Government will introduce amendments to the Privacy Act during the Winter sitting of Parliament. The amendments are the first steps in the long awaited reforms of privacy law in Australia and will focus on:
- introducing the Australian Privacy Principles, which will replace the existing National Privacy Principles and Information Privacy Principles,
- reforms to Australia’s consumer credit reporting regime, and
- extending the powers of the Privacy Commissioner.
It appears that this round of amendments will not address health privacy matters specifically.