In this article, we report on the Australian Government's most recent push to introduce laws requiring entities to notify affected individuals of data breaches and about proposed reforms concerning the shift towards the increased release and use of government data.
A mandatory data breach reporting regime in Australia
In recent years, a number of attempts to introduce mandatory data breach reporting laws in Australia have failed. As part of the Australian Government's latest push to introduce such laws, an "exposure draft" of its proposed legislation was released in 2015, which we reported on here. Following a period of consultation and review, revised legislation was recently tabled in Parliament: the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Bill). The Bill must now pass both the House of Representatives and the Senate.
The regime will apply only to entities subject to the Australian Privacy Principles, which means that, apart from limited exceptions, small businesses (i.e., businesses with an annual turnover of less than $3 million) will be exempt.
An entity will be required to comply with specific notification obligations as soon as practicable after becoming aware of reasonable grounds for believing it has been the subject of an "eligible data breach". An eligible data breach will occur where personal information about one or more individuals held by the entity is subject to unauthorised access or disclosure, or, is lost in circumstances in which unauthorised access or disclosure is likely to occur, and a reasonable person would conclude that such access or disclosure is likely to result in serious harm to any such individual (affected individual).
In determining if a reasonable person would reach that conclusion, an entity will need to consider a number of factors, including the sensitivity of the information, whether it is protected by any security measures and the likelihood any such measures could be overcome.
If an entity is aware that it may have been the subject of an eligible data breach, but is not aware of reasonable grounds for believing it has been, the entity will have 30 days to undertake a reasonable and expeditious assessment to determine if there are in fact reasonable grounds for believing that it has been the subject of such a breach.
A failure to comply with the provisions would constitute an interference with privacy under the Privacy Act 1988 (Cth) (Act), which means that the Privacy Commissioner could then investigate, make determinations and provide remedies for non-compliance with the Act.
Key changes from the previous mandatory data breach reporting proposal
Under the previous version of the legislation, the obligation to notify was to arise where there was a "real risk of serious harm" associated with a data breach. Under the Bill, however, an entity will be required to notify affected individuals if a "reasonable person" would "conclude" that serious harm is "likely". Previously, a "real risk" was defined as one that is "not a remote risk". Based on the explanatory memorandum to the Bill, however, "likely" will be taken to mean "more probable than not", which is arguably a higher threshold. As a result, whilst this change appears to be directed towards addressing concerns about the uncertainty of when a "real risk" would arise, the effect of the change will probably be that fewer data breaches will be notifiable.
Additionally, the Bill also includes new provisions providing that no notification obligation will arise if the entity takes "remedial action", being action:
- in response to unauthorised access or disclosure, before the access or disclosure results in serious harm to any affected individual, and, as a result of the action taken, a reasonable person would conclude that access or disclosure is not likely to result in such harm; or
- in response to the loss of information, before any unauthorised access or disclosure occurs, and, as a result of the action taken, there is no access or disclosure.
The definition of "harm" has been removed. However, the explanatory memorandum indicates that the references to "serious harm" in the Bill are not limited to any particular form of harm. It appears any harm (including emotional distress or reputational harm) could constitute "serious harm".
The increasing release and use of government data
We recently reported on issues concerning the growing use of Big Data in Australia here. Broadly speaking, a key objective of the relevant policies, guidelines and measures which have been adopted recently in this area is to encourage and facilitate the release and use of appropriate government data between government agencies and the private and research sectors.
The Australian Government released its Public Data Policy Statement in December 2015. The Statement addresses the use of public data (being all data collected by government entities for any purpose) by Commonwealth entities, the release (ie, on an "open by default" basis) of non-sensitive data to the public and the Commonwealth entity collaboration with the private and research sectors. Following the release of the Statement, the Commissioner published draft guidance regarding the use of Big Data. One point emphasised in that guidance is that privacy issues associated with the use of Big Data can be avoided to the extent the data can be de-identified and therefore cease to be classifiable as "personal information".
In a subsequent development, in November 2016 the Productivity Commission launched a draft report on Data Availability and Use. A focus of the draft recommendations is that individuals should have greater control over information collected about them. There should be a new "comprehensive right" for consumers which, in addition to existing rights of access and correction arising under the Privacy Act, would involve improved rights to opt out of collection and to obtain machine-readable copies of their personal data from those in possession of it. The "comprehensive right" would also give consumers the right to direct data holders to transfer their data to a nominated third party. Describing current data laws as being out of touch with the requirements of the digital age, the draft report recommends the introduction of a new Data Sharing and Release Act, the creation of a National Data Custodian supported by a suite of Accredited Release Authorities. The recommendations are open for public comment until 12 December 2016.
New offences and civil penalties for conduct relating to de-identified personal information
In an effort to address concerns regarding the disclosure of de-identified personal information and the possible re-identification of such information with advances in technology, the Australian Government recently introduced the Privacy Amendment (Re-identification Offence) Bill 2016 (Cth), which is currently before the Senate.
The Bill prohibits certain forms of conduct relating to information published by a Commonwealth agency in a generally available publication on the basis that the information was de-identified personal information. Subject to limited exceptions, the Bill includes provisions providing for criminal offences and civil penalties for the intentional re-identification of de-identified personal information and the disclosure of re-identified personal information when it is known that the information is no longer de-identified. Importantly, these new laws are proposed to apply to small businesses which are not subject to the Australian Privacy Principles.