The proposed mandatory scheme for notifying serious data breaches in the form of an exposure draft Bill, the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015, has now been released by the Federal Attorney General for industry consultation. It is supported by an Explanatory Memorandum (EM), a Discussion Paper and a draft early assessment Regulatory Impact Assessment which consider various response options. This was later than hoped, as the Government had indicated that laws would be introduced before the end of this year. The Bill proposes to amend the Commonwealth Privacy Act 1988 by inserting a new Part IIIC which will apply to Commonwealth agencies and the private sector (unless exempt), including tax file recipients, credit reporting bodies and credit providers and also service providers in connection with data they must retain under the Telecommunications (Interception and Access) Act 1979.
Timeline to the draft Bill
The proposal follows:
- a Private members Bill introduced by then Senator Natasha Stott Despoja in 2007 (see our Alert)
- a recommendation by the Australian Law Reform Commission (ALRC) following its inquiry into the Privacy Act, to include mandatory data breach notification in the reforms to the Privacy Act (see its 2008 report)
- a Discussion Paper released in October 2012 which sought comment on making notification of data breaches mandatory (see our Alert)
- mandatory data breach notification under the My Health Records Act 2012 (Cth)
- the Privacy Amendment (Privacy Alerts) Bill 2013 (Cth), which almost became law in August 2013 (see our Alert)
- a revised OAIC Guide released in August 2014 following the introduction of the APPs
- ASIC's Report 429 'Cyber resilience: Health check' in March 2015
- the recommendation of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) following it inquiry into the now enacted mandatory metadata retention laws that a 'robust' mandatory data breach notification scheme is enacted in the legislation
- the Attorney-General and the Prime Minister Malcolm Turnbull as the then Minister for Communications, announcing the Government would introduce a mandatory data breach notification scheme by the end of 2015, following consultation on the draft legislation
- the first cyber security threat report from the Australian Cyber Security Centre (ACSC), and
- many high profile data breaches suffered by both the private and government sectors in the last few years which have been the subject of media and regulator scrutiny.
Current data notification obligations
Currently, Commonwealth agencies and private sector organisations must keep personal information secure in accordance with APP 11 by taking reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. There are also separate data security obligations in relation to tax file numbers (TFNs), credit information and credit eligibility information. Notification of breaches of the security of personal information held by all these entities, by voluntarily notifying affected individuals and reporting the breach to the OAIC, is considered as one option in a risk management approach to meeting their data security obligations. Following the OAIC Guide as part of any data breach response supports, and will continue to support, compliance with these obligations.
Key obligations proposed by the new Bill
1. A 'serious' data breach
The mandatory notification requirements would only be enlivened if a serious data breach occurs because:
- personal, credit, credit eligibility and/or tax file information 'held' by an entity bound by the Privacy Act has been subject to unauthorised access or disclosure, including if that is likely as a result of the loss of such information, and
- a real risk of serious harm will result to any individual to whom the information relates, or
- any of the information affected is of a kind specified in the regulations, or
- the Privacy Commissioner directs notification on the basis there is reasonable grounds to believe there has been a serious data breach.
A 'real risk' is defined as a risk that is not a remote risk and 'harm' is broadly and non-exhaustively defined to include psychological, physical, emotional reputational, economic or financial harm. What harm will be serious is not defined. The Bill list a non-exhaustive range of factors to have regard to when determining if there is a risk of serious harm. These include:
- the kind and sensitivity of the information
- whether it is intelligible to an ordinary person
- whether it is protected by any security measures
- any steps the entity has taken, is taking or will take to mitigate harm, and
- the nature of the harm.
2. Notification requirements: timing, content and communication
(a) The 'notification statement' must be prepared as soon as practicable and no late than 30 days after the entity is aware or ought reasonably to be aware that there are reasonable grounds to believe there has been a serious data breach. The notice period allows the entity time to assess whether there has been a serious data breach in the circumstances. This would help avoid the need for early notifications where it is unclear if there has been a serious data breach.
(b) The content of the statement must include:
- the entity's identity and contact details
- a description of the serious data breach
- the kinds of information affected, and
- recommendations about the steps that the individuals should take in response to the serious data breach.
(c) A copy of the statement must be provided to the Privacy Commissioner and reasonable steps must be taken to notify each individual. This will include, but is not limited to, using the communication channels the entity has normally used to contact them. If that is not practicable, the entity must publish the statement on its website and take reasonable steps to publicise the statement contents. This should allow some flexibility.
3. Notification exemptions
Entities are exempt from notifying individuals if one of the limited exceptions applies. These include if:
- enforcement related activities are likely to be prejudiced
- notification is inconsistent with Commonwealth secrecy laws
- the Privacy Commissioner, on being satisfied that it is in the public interest to do so, has given written notice on their own initiative or on the entity's application, and
- having carried out the required assessment of the data breach in the required period, the entity assesses there has been no serious data breach.
4. Consequences of failure to notify
Failure to notify in accordance with the proposed scheme (including at the direction of the Privacy Commissioner) will be deemed an interference with privacy and subject to the Privacy Commissioner's regulatory powers. This would mean that the Commissioner can use the range of sanctions available, depending on how serious the breach and failure to notify is. Sanctions may include an investigation and determination that may require the entity to apologise, pay compensation or take (or refrain from taking) certain action.
The OAIC Guide applies a shared but more prescriptive standard for assessing risk of serious harm. Given that the entity bears the onus of assessing whether there is a risk of serious harm and the breadth of potential harm, the OAIC Guide would continue to be relevant to a breach response. The Privacy Commissioner would also be able to issue further guidance to support compliance with the proposed scheme.
A stated aim of the scheme is to capture only serious data breaches so as to avoid notification fatigue and not impose an unreasonable compliance burden on organisations. Nevertheless, the obligation entities would have, to undertake a timely assessment of whether the security breach will result in a serious risk of harm, in light of the broad proposed definition of harm, will require implementation of a rigorous data breach response procedure.
In the meantime ...
The financial impact and reputational damage of a serious data breach can be significant, as many organisations have learned and the security threats, whether from human error or cyber attacks, is not going away. Given the increasing amount of personal information that organisations and agencies collect and hold in various electronic formats, the risk of a serious breach is higher and the breach response should reflect this. Organisations and agencies (whether subject to the Privacy Act or not) exposed to a data breach should consult the OAIC Guide and consider notifying the Privacy Commissioner and individuals in order to manage the breach and to mitigate any reputational damage it may cause, and review their privacy practices and procedures to minimise the risk of data breaches.