The Notifiable Data Breach scheme in Part IIIC of the Commonwealth Privacy Act 1988 (Scheme) is now in full force. But not all privacy breaches need to be reported and not all privacy breaches are data security breaches.
The Scheme requires only certain data breaches to be notified by organisations subject to the Australian Privacy Principles, and/or the credit reporting provisions of the Privacy Act or the Tax File Number Rules. Notification of breaches is mandatory when organisations have reasonable grounds to believe an 'eligible data breach' has happened. A data breach is eligible and therefore notifiable when:
- personal information, or credit information or TFN information is subject to unauthorised access or disclosure (or lost in circumstances that are likely to result in unauthorised access or disclosure); and
- affected individuals are likely to suffer serious harm as a result of the breach; and
- no exception to notification applies.
Whether an individual is likely to suffer serious harm is an objective test. However, this is an assessment that your organisation will need to undertake, taking into account the specific circumstances of the breach.
So, assuming there has been unauthorised access or disclosure of personal information that your organisation holds (which includes physical possession or control of the data) or this is likely, how do you work out whether any particular person affected by the data security breach is likely to suffer serious harm? This is one of the most challenging aspects of the Scheme for organisations to understand and assess, because no two breaches and individuals are the same. Also, as the Scheme is still relatively new, we don’t yet have the benefit of any determinations by the Australian Information Commissioner about the circumstances that will meet the ‘serious harm’ threshold.
However, to assist, the guidance issued by the Office of the Australian Information Commissioner (OAIC) (Guidance) sets out some of the factors you can weigh up in assessing whether serious harm is likely. These factors include:
- the type of information involved: where the information is sensitive, financial, can be used for identity fraud or is a combination of personal information types, it is more likely that serious harm will result;
- whose personal information is involved: if the information primarily relates to vulnerable people eg (children or the elderly), this may increase the risk of serious harm;
- the number of individuals involved: the OAIC’s guidance suggests that, even if there is only a small chance of each individual suffering serious harm, if many people are affected, it is more likely that at least some individuals will suffer serious harm. The guidance recommends, from a risk perspective, it may be prudent to assume a breach involving a very large number of people is likely to result in serious harm to at least one of the individuals, unless the context or circumstances support this not being the case;
- the nature of the harm that could result for affected individuals, eg identity theft, financial loss, threats to physical safety or reputational damage;
- the circumstances of the breach, including whether any malicious activity is involved;
- how long the information was accessible before the breach was discovered: if the information was accessible for a significant period before being discovered, it may be more likely that the personal information was accessed in ways that could result in serious harm;
- the types of people who could have had access to the personal information (eg are they all known to be organisation or can they be contacted or are they malicious third party actors); and
- any security measures taken to adequately encrypt, anonymise or otherwise render the information not easily accessible. This assessment should include consideration of the adequacy of the security measures and the capability of the unauthorised recipients to circumvent the security measures.
When undertaking an assessment following a privacy data breach, you should also consider whether you can take any remedial action to remove the likelihood of affected people suffering serious harm. The Guidance sets out some case study examples of the types of action you could take. For example, can you remotely wipe a lost device that has security measures applied before it is likely that someone could have accessed the data on the device? If you can take remediation steps so that serious harm is no longer likely, you will not need to notify.
The two quarterly reports that the OAIC has published to date (February – March and April – June) on notified data breaches under the Scheme do not give any indication whether the reported breaches actually met the threshold 'serious harm' requirement. According to the reports, 305 breaches have been reported to the OAIC from 22 February – 30 June 2018. However, it is not clear whether all these meet the eligible data breach test. Other questions you will want to consider if there has been a data breach is whether you should still voluntarily notify any affected individuals and/or the OAIC about the breach, whether specifically or generally, and what risk there is to the organisation of a claim for damages. While organisations may prefer to adopt a cautious approach and notify a data breach under the Scheme, in the event there is any doubt about whether it falls within the definition, this will form part of the organisation's record of privacy compliance and indicate to customers that the organisation considers that those affected are at risk from serious harm. It also sets a benchmark for the organisation for future notifications.