Privacy law is once again on the Government’s legislation reform agenda with the introduction on Wednesday of the Privacy Amendment (Privacy Alerts) Bill 2013.
The Bill if passed will amend the Privacy Act 1988 (Cth) to introduce a new mandatory data breach notification scheme for entities regulated under the Federal Act, including public sector agencies, private sector organisations (other than small business), credit reporting bodies and credit providers.
Under current Australian privacy law, there is no legal requirement for an entity to notify either affected individuals, or the Commissioner, if personal information the entity holds is compromised. The Federal Privacy Commissioner – part of the Office of the Australian Information Commissioner - actively encourages voluntary notification by entities in accordance with the OAIC’s guide Data Breach Notification: A guide to handling personal information security breaches.
Wednesday’s introduction of the mandatory notification scheme comes approximately five years after the Australian Law Reform Commission first considered this, and myriad other issues, in its 2008 Report For Your Information: Australian Privacy Law and Practice. The ALRC recommended at the time that the Privacy Act be amended to compel entities to notify individuals where data breaches cause a real risk of serious harm. Somewhat belatedly, the Government released a discussion paper in October 2012 to canvas stakeholder views as to the introduction of a mandatory data breach scheme: submissions were closed off the following month and not made available or commented on by the Attorney-General until the day before introduction of this Bill into the Federal Parliament.
The Government’s mandatory notification scheme implements in large part the model first recommended by the ALRC. Specifically, the threshold test for notification under the new scheme reflects the ALRC’s recommendation for a high threshold based on a reasonable belief by the entity concerned that the data breach is sufficiently serious to pose a real risk of serious harm to affected individuals. The Bill, and its Explanatory Memorandum, are not particularly clear on the meaning of the term serious harm, other than to note that it includes reputational, economic, financial, physical and psychological harm, but excludes minor harm. It is expected that the Commissioner will provide further guidance on this issue.
The OAIC Guide suggests that serious harm may include identity theft, disclosure of credit card details and the stigma, embarrassment and discrimination that may result from the misuse of health information. Ultimately, entities will need to assess each data breach on a case-by-case basis to determine whether the circumstances of the breach give rise to a reasonable belief that affected individuals face a real risk of serious harm.
In the event of such a breach, the provisions of the Bill require the entity to notify each affected individual and the Commissioner as soon as practicable. The data breach notice must include:
- the identity and contact details of the entity;
- a description of the breach;
- the kinds of personal information concerned;
- recommendations about the steps that individuals should take in response to the breach; and
- any other information specified in the regulations.
The Bill appears to express a preference for direct notification of affected individuals using methods of communication normally used by the entity to communicate with the individual. In the absence of a such a method, the entity must take reasonable steps to notify the individual (e.g. by email, telephone or post).
In circumstances, however, where it is impossible or impracticable to contact each affected individual, the Bill requires an entity to publish a copy of the statement on its website and in each State via publication in a generally circulating newspaper in that State. The circumstances in which such indirect notification is to be undertaken is to be prescribed in the regulations.
Where it is in the public interest to do so, the Commissioner may exempt an entity by notice from its notification obligations. Such notices may be issued upon application or on the Commissioner’s own initiative.
The Bill also provides the Commissioner with the power to direct an entity to notify affected individuals if it has not done so. A failure to comply with the notification requirements of the Bill, as well as a direction by the Commissioner to notify, amounts to an interference with the privacy of an individual, which triggers all the Commissioner’s enforcement powers, including the investigative powers, the power to make determinations, award compensation, seek enforceable undertakings and civil penalties for serious or repeated interferences with privacy.
If passed by Parliament, the mandatory data breach notification scheme will commence at the same time as the new Australian Privacy Principles (APPs) and credit reporting scheme, 12 March 2014.
A copy of the Bill and its Explanatory Memorandum is available here:
Click here to view a brief comparative analysis of the measures in the Bill against those set out in OAIC’s Guide on voluntary notification.