Businesses operating in Australia that handle personal information will soon need to notify affected individuals and the Australian Information Commissioner of serious data breaches under a new mandatory notification scheme.
On 13 February 2017, the Australian Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill). Years in the making and after numerous iterations, the Bill amends the Privacy Act 1988 (Cth) (the Privacy Act) to introduce a system for the reporting of serious data breaches involving personal information (the Notification Scheme).
Who is affected?
All entities currently subject to the Australian Privacy Principles (APPs) - such as Australian private sector organisations, most Federal Government agencies, foreign companies who collect or hold personal information in Australia and other businesses that operate in Australia with an annual turnover of more than $3,000,000 - must comply with the Notification Scheme.
Are all data breaches notifiable?
Not all data breaches suffered by an entity need to be reported under the Notification Scheme. Only a data breach that satisfies the criteria set out in the Bill will be considered an ‘eligible’ data breach and notifiable.
What is an eligible data breach?
An ‘eligible’ data breach occurs when there is unauthorised access to, or disclosure of, information (being personal information, tax file information or credit eligibility information) that is likely to result in serious harm to any individuals to whom the information relates.
The concept of ‘serious harm’ is not defined in the legislation. However, the Explanatory Memorandum provides some guidance, indicating that serious harm could include serious physical, psychological, emotional, financial or reputational harm. Whether or not a reasonable person would conclude that a data breach is likely to result in serious harm requires consideration of a number of relevant matters, including:
- the nature and sensitivity of the information;
- the level of security protecting the information and the likelihood of those security measures being overcome;
- the identity of the persons who have, or could have, obtained the information;
- the nature of the harm; and
- any other relevant matters.
Are there any exceptions?
If an entity is able to undertake sufficient remedial action in response to a data breach such that no serious harm results from the data breach, that unauthorised access or disclosure is not considered to be an eligible data breach and the Notification Scheme does not apply.
What are the notification requirements?
Importantly, the Bill imposes obligations on entities in relation to suspected, and actual, eligible data breaches such that:
- If an entity has reasonable grounds to suspect that there may have been an eligible data breach, the entity must carry out a reasonable and expeditious assessment of the suspected data breach within 30 days of becoming aware of the alleged breach.
- If an entity has reasonable grounds to believe that there actually has been an eligible data breach (arising out of the results of an assessment or otherwise), the entity must, as soon as practicable:
- prepare a statement that sets out the identity and contact details of the entity, a description of the eligible data breach, the kind(s) of information concerned that were the subject of the eligible data breach and recommendations as to the steps affected individuals should take in response to the eligible data breach;
- provide a copy of the statement to the Privacy Commissioner; and
- notify the contents of the statement to each of the individuals affected or at risk from the eligible data breach. If it is not practicable to notify each of the individuals, a copy of the statement must be published on the entity’s website and the entity must take reasonable steps to make the contents of the statement known.
- The Commissioner may also direct an entity to report an eligible data breach in circumstances where the Commissioner is aware that there are reasonable grounds to believe that an eligible data breach has occurred.
Are there any exceptions?
The Notification Scheme provides a number of exceptions to the notification obligation, including for enforcement-related activities and Commonwealth secrecy provisions. In particular, where an eligible data breach of one entity is also an eligible data breach of another one or more other entities, provided that one entity discharges its notification obligations, the Notification Scheme does not apply to those other affected entities. It is therefore important that an entity ensures that compliance with the Notification Scheme is sufficiently addressed in any contractual relationship.
What are the consequences for non-compliance?
A failure to comply with the Notification Scheme will be considered an interference with the privacy of an individual under the Privacy Act. This means that an entity may be liable for civil penalties for each data breach (as a result of breaching its obligation under APP 11 to protect information from misuse, interference and loss, as well as unauthorised access, modification or disclosure) and a failure to notify under the Notification Scheme. Civil penalties for serious or repeated interferences currently attract a maximum penalty of $1.8 million for companies and $360,000 for individuals.
The Act is expected to come into effect in the next 12 months. It is important that your organisation is prepared for the introduction of the Notification Scheme and is able to comply with its requirements.
In particular, we recommend that your organisation take this time to:
- review existing and standard contractual arrangements to ensure adequate privacy and security obligations are in place;
- consider amending standard contracts to include provision(s) specifically addressing the new Notification Scheme and, in particular, who is responsible for compliance should an eligible data breach occur;
- assess your own security systems to ensure sufficient security measures are in place to address and mitigate rising cyber risks, including data breaches;
- ensure your organisation has a robust response plan in place; and
- prepare a draft notification statement and implement procedures necessary to comply with the notification requirements.