Introduction

How much data is collected about you and your activities each day? Were you one of the 1.7 million Australian Adobe users, or the 460,000-900,000 Australian Ashley Madison users, whose personal information was hacked into and subsequently leaked? Regardless of how or why you may choose to provide applications and businesses with your personal information; you should be able to rest assured that reasonable lengths are being taken by those entities to keep your data safe.

It is now more important than ever for you to be aware of what parts of the law protect your personal information currently floating out in the ether, as well as what parts still need work.

The recently proposed Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth), aims to ensure that the public will be aware when there has been serious unauthorised acquisition, or misuse, of their personal data.  By imposing mandatory reporting obligations on Australian Government Agencies and private sector organisations that hold this data, the 2015 Bill will effectively compel these agencies and organisations to improve their data safeguarding procedures and policies thereby increasing their data security, public accountability and transparency.

In this Alert, Partner Hayden Delaney and Annabelle Ziegler Law Clerk will address the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth).

General information on the release of the Privacy Amendment Bill

This proposed Bill, when and if enacted, will amend the Privacy Act1988 (Cth).  This amendment to the Privacy Act will be effective upon the day that it receives the royal assent.  It provides for a new Part IIIC – ‘Notification of Serious Data Breaches’ - to be enacted in the Privacy Act.  Released with this draft 2015 Bill was an accompanying Explanatory Memorandum, a Regulation Impact Statement, together with a Discussion Paper titled ‘Mandatory Data Breach Notification.’

What you need to know about the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015?

The key underlying policy driver behind the 2015 Bill is to protect and enhance the rights of consumers to control how their personal information is collected, utilised and divulged to others.  In addition, the 2015 Bill seeks to ensure that those affected by serious data breaches are notified when such breaches occur so that they have an opportunity to take remedial action to mitigate their loss. The effect of the 2015 Bill will be to simultaneously increase public confidence in data integrity measures by the further encouragement of the adoption of better ICT security practices and technology.

Comments from the general public on the draft 2015 Bill

The draft 2015 Bill seeks comments from the general public on the proposals contained within it pertaining to the imposition of a mandatory reporting obligation on entities holding an individual’s personal data to notify them, together with the Office of the Australian Information Commissioner (‘the Commissioner’), in the event that there are “reasonable grounds to believe that a serious data breach has occurred.” 

Australian Privacy Principle (APP) 11 in the Privacy Act

Currently, Australian Privacy Principle (APP) 11 in the Privacy Act requires Australian Government Agencies and private sector organisations with over $3 million in annual turnover (subject to some limited exceptions) to take reasonable steps to maintain the security of an individual’s personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.  However, APP 11 does not make it mandatory for the relevant APP entity to disclose any such breaches to affected parties.  

Whether a “serious data breach” has occurred

Under the 2015 Bill, an entity holding an individual’s data will have 30 days to assess whether there are in fact reasonable grounds to believe that a serious data breach has occurred in circumstances where an entity suspects but is uncertain whether or not a serious data breach has occurred.  As currently defined in the 2015 Bill, a “serious data breach” is one where there is unauthorised access to, unauthorised disclosure of, or loss of, personal information (or certain other information) held by an entity.

The kind of information that falls within the purview of the 2015 Bill includes personal information, credit reporting and credit eligibility information and tax file number information with these matters being as defined within the Privacy Act.

Notification of a “real risk of serious harm”

In the event that an entity knows, or has reasonable grounds to believe, that a serious data breach has occurred, that entity must notify both the Commissioner and affected individuals of that data breach where that breach will create “a real risk of serious harm.”  The 2015 Bill also covers a serious data breach pertaining to information of a kind that is specified in the regulations to the Privacy Act as falling within these provisions.  An entity’s notification obligation is made subject to certain law enforcement and secrecy provisions.

“A real risk of serious harm” has been defined in the 2015 Bill as meaning a risk that is not a “remote risk” with “harm” inclusively defined to mean physical, psychological and emotional harm, together with harm to reputation and economic and financial harm. 

Notification is required to be effected by an entity as soon as practicable after it becomes aware or ought reasonably to have become aware of a serious data breach, with the entity taking such steps (if any) as are reasonable in the circumstances to notify affected individuals.  Notification may occur for example by email, post, telephone or whatever usual channels are normally employed by the entity to contact these individuals.  Where it is not reasonably practicable for the entity to notify each affected individual, the publication of a notice about the data breach may occur through social media posts, or by advertisements in online or print media.

Pursuant to the Australian Government’s Discussion Paper, it is proposed for the Commissioner to issue guidance material to assist entities in assessing whether a serious data breach has occurred and how to comply with the proposed scheme’s notification requirements.

Failure by the entity that has suffered the serious data breach to inform the Commissioner of this serious data breach will lead to this entity being subject to the risk of enforcement action by the Commissioner.  This enforcement action may include the potential for the imposition of civil penalties by the Federal Court or Federal Circuit Court in the event of serious or repeated non-compliance with these statutory provisions.  Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.

Criticisms of the 2015 Bill

Given that most small businesses have a turnover of less than $3 million, these entities, many of which collect significant personal data in the course of their business operations, will generally not fall within the notification obligations proposed by the 2015 Bill.  Accordingly, this small business exemption has the potential to significantly reduce the 2015 Bill’s effectiveness.  Likewise, existing exemptions provided to law enforcement and intelligence agencies under other provisions of the Privacy Act will also be maintained thereby reducing the 2015 Bill’s effectiveness in achieving its indicated policy objectives.  A similar outcome arises if the notification requirements provided by the 2015 Bill are inconsistent with other Commonwealth disclosure requirements, or where mandatory notification is already required under other Commonwealth legislation such as pursuant to the My Health Records Act 2012 (Cth).  These other Commonwealth disclosure requirements prevail to the extent of any inconsistency.  Another arguable shortcoming of the 2015 Bill is the broad discretion provided to the Commissioner to exempt an entity from complying with the notification provision.  For example, this may occur where it is considered by the Commissioner to be in the public interest to do so.  The Commissioner can provide this exemption on his own volition or on the application of an otherwise liable notifying entity.

At a more operational level, the expression “real risk of serious harm” being defined in terms of not being a “remote risk” is very open-ended.  The vagueness in this definition leaves a lot to interpretation. Given the potential penalties that could be imposed on an entity for non-compliance, this is arguably a significant legislative ambiguity that could give rise to unfairness or injustice.  Unlike in other jurisdictions, such as in California, USA, it is noted that there is no express exemption from mandatory notification of data breaches in circumstances where the relevant data has been encrypted.  If this exemption from mandatory reporting was contained in the 2015 Bill, organisations would then have a clear safe harbour for when reporting would not be required.  They would also have a tangible incentive to improve their data security processes and procedures.  This would ultimately result in cost savings for all parties given the significant deleterious costs and consequences that can arise from data breaches when compared to the relatively insignificant costs of the application of encryption technology.

Public comments on the 2015 Bill

Public comments on the 2015 Bill and related materials are requested by the Commonwealth Government up until 4th March 2016.  All submissions received by the Government will be considered in preparing the final draft Bill to be presented before the Parliament.