In October 2016, the federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) to the House of Representatives to amend the Privacy Act to establish a regime for mandatory notification of eligible data breaches. There is bipartisan support for the bill, and it is likely to become law in late 2016 or early 2017.
What are the mandatory data breach notification requirements under the Bill?
The Bill requires that an entity must, as soon as practicable, comply with the notification steps outlined below if:
- the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity; or
- the Information Commissioner directs the entity to do so.
If an `eligible data breach' occurs in relation to information which has been disclosed to (and is held by) an overseas recipient by an entity, the entity that disclosed the information must comply.
Step 1: Prepare a statement setting out the prescribed details
The affected entity must prepare a statement that sets out:
- the identity and contact details of the entity. If the eligible data breach relates to more than one entity, the statement may set out the identity and contact details of those other entities;
- a description of the eligible data breach;
- the kind or kinds of information affected by the eligible data breach; and
- recommendations about the steps that individuals who are or may be affected by the eligible data breach should take in response to it.
If a statement is prepared at the direction of the Information Commissioner, the statement must also include any information specified in that direction.
Step 2. Give a copy of the prepared statement to the Information Commissioner
Step 3. Notify the contents of the statement to individuals whose information is affected by the eligible data breach
Where practicable, the affected entity must take reasonable steps to notify the contents of the statement to those individuals to who are or may be affected by the eligible data breach. The entity may use the channels it ordinarily uses to communicate with individuals (e.g. email, text message, mail) to provide those notifications, but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use.
If it is not practicable for the affected entity to notify individuals, the affected entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement.
What are `eligible data breaches'?
An `eligible data breach' occurs when:
- there is unauthorised access to, or unauthorised disclosure of, personal, credit reporting or credit eligibility information or a tax file number a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates; or
- personal, credit reporting or credit eligibility information or a tax file number is lost where it is likely that (a) unauthorised access to, or unauthorised disclosure of, the information will occur and (b) such unauthorised access or disclosure will result in serious harm to an individual to whom the information relates.
Remedial action exception to the definition of eligible data breaches
An eligible data breach is deemed never to have occurred where the affected entity:
- in the case of lost information, takes action before there is unauthorised access to, or unauthorised disclosure of, information which is lost, and no unauthorised access or disclosure actually occurs; or
- in the case of information which is the subject of unauthorised access or disclosure, takes action before there is serious harm to any individual to whom the information relates, and because of that action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals.
What is `serious harm'?
`Serious harm' is to be interpreted broadly. The explanatory memorandum to the Bill states that `serious harm' could include serious physical, psychological, emotional, economic and financial harm, and serious harm to reputation.
The Bill contains a non-exhaustive list of matters to be considered in determining whether or not access to, or disclosure of, information is likely to result in "serious harm". These matters include:
- the kind(s) and sensitivity of the information;
- whether the information is protected by one or more security measures and the likelihood of any of these measures being overcome;
- the persons, or the kinds of persons, who have obtained, or who could obtain, the information;
- the nature of the harm.
There are a small number of circumstances in which entities are exempted from complying with the notification obligations:
- Multiple affected entities: Where the eligible data breach affects more than one entity and another entity has complied with the notification obligations, those other affected entities do not need to separately comply.
- Enforcement related activities: Where the affected entity is an enforcement body and the body's CEO reasonably believes that complying with the notification obligations are likely to prejudice any of its enforcement related activities.
- Inconsistency with a secrecy provision: Where complying with the notification obligations is, to any extent, inconsistent with a provision of a law of the Commonwealth that prohibits or regulates the use or disclosure of information.
- Declaration by the Commissioner: Where the Information Commissioner declares that the notification obligations do not apply or specifies a particular time by which the affected entity must comply with the notification obligations.
Assessment of suspected eligible data breaches
If an entity has reasonable grounds to suspect an eligible data breach may have occurred, but is not aware of reasonable grounds to believe that an eligible data breach has in fact occurred, the entity must carry out a reasonable and prompt assessment to determine whether an eligible data breach has in fact occurred. This could occur where an entity is notified of a breach by a third party.
The entity must take reasonable steps to complete the assessment within 30 days after forming the suspicion.
If the eligible data breach applies to more than one entity, only one entity needs to undertake an assessment for all entities to comply with this requirement.