After several stalled attempts, on 13 February 2017, the Australian Senate passed legislation amending the Privacy Act 1988 (Cth) requiring regulated entities to report "eligible data breaches" to the Privacy Commissioner and to affected individuals.
When does this obligation commence?
The Government can designate a start date. If it does not, then the obligation commences 12 months from the date of royal assent. Accordingly, it is almost certain this obligation will apply in early 2018, and most likely earlier.
Who does this obligation affect?
It applies to entities already regulated by the Act. These include businesses with annual turnover exceeding $3 million, health service providers, Commonwealth Government agencies, credit providers and credit reporting bodies.
What is this obligation?
Essentially, any regulated entity must report to the Privacy Commissioner and to affected individuals "as soon as practicable" after becoming aware that an "eligible data breach" has occurred.
Additionally, where the entity suspects that an "eligible data breach" may have occurred, it has 30 days to investigate its suspicions and determine whether the breach occurred. If the organization confirms the breach, then it must notify the Commissioner and affected individuals.
When does an "eligible data breach" occur?
An "eligible data breach" occurs when either of the two alternatives occurs:
- there is unauthorized access to or disclosure of the information and a reasonable person would conclude that such access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
- the information is lost in circumstances where unauthorized access to, or unauthorized disclosure of, the information is likely to occur and, assuming that such access or disclosure has occurred, a reasonable person would conclude that such access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
Serious harm includes serious financial, economic or physical harm. It also includes serious emotional or psychological harm, or serious harm to an individual's public reputation.
In determining whether access or disclosure would be likely or not likely to result in serious harm, there are several statutory factors to be considered, including:
- the kind(s) of information;
- the sensitivity of the information;
- whether security measures (such as encryption) protect the information;
- the likelihood that such measures can be defeated;
- the person(s), or kind(s) of person(s) who have obtained or who could obtain access to the information; and
- the nature of the harm.
As examples, malicious breaches of secure storage and information handling would almost certainly be an eligible data breach. Similarly, the inadvertent loss of a computer or storage device (such as a USB stick) containing personal information where the device can be recovered by a third party would almost certainly be an eligible data breach.
Are there exceptions to the obligation?
There are several exceptions, namely:
- remedial action taken to prevent serious harm to any affected individual before the individual suffers the harm;
- if the breach applies to multiple entities, only one entity must notify the Commissioner and affected individuals for all entities to comply with their statutory obligations;
- notification is not required if it would be likely to prejudice law enforcement related activity;
- notification is not required if it would be inconsistent with a secrecy provision; and
- at the Commissioner's discretion (based on reasonable grounds).
We look at the exceptions that are most likely to apply - remedial action and multiple entities affected by the one eligible data breach.
What comprises remedial action?
If an entity takes action in relation to the data breach and, as a result of the action, a reasonable person would conclude that the breach is not likely to result in serious harm to any affected individual, the data breach is not an "eligible data breach". Consequently, there is no obligation to report the breach to the Commissioner or to the affected individuals.
The legislation is vague on the nature and extent of the remedial action. It will depend on a number of factors, including the nature and extent of the breach being remedied.
The exception applies only if the remedial action was taken before the individual(s) were harmed. If the action prevents some (but not all) of the individuals being harmed, then the obligation to notify is reduced to exclude an obligation to notify those individuals protected by the remedial action.
What happens if more than one entity is affected by the breach?
Where an eligible data breach affects multiple entities, the Act will require only one of the affected entities to report the breach. Once the report is made, then all the affected entities are taken to have complied with their statutory reporting obligation.
This scenario will commonly occur when one entity has outsourced the management of personal information (in some fashion) to a third party. For example, in October 2016, records of blood donors were unwittingly exposed to the public when a contractor to the Australian Red Blood Cross Service made those records available via an unsecured website.
In this scenario, the entities must determine (between themselves) which entity will assume responsibility for complying with the notification obligation (assuming that remedial action cannot be taken to avert the serious harm to affected individuals).
What goes into the notification? How do I notify affected individuals?
The Act will dictate the substance of the notification. It must contain the entity's name and contact details, a description of the breach, the kind(s) of information involved and steps the entity recommends individuals take to protect themselves from the potential for serious harm.
The entity must take reasonable steps to notify affected individuals of the breach, such as through email, by phone or by post. However, if the entity determines that it is not practicable for it to notify affected individuals directly, then it must publish the statement on its website and otherwise take reasonable steps to publicise the statement.
What happens if I don't notify the Commissioner or affected individuals?
The Act will deem a failure to comply with the notification obligations as an interference with the privacy of an individual. This triggers the Commissioner's existing powers to investigate, make determinations and order remedies for the non-compliance.
Ultimately, an entity that fails to comply with its statutory obligations may face civil penalties of up to $1.8 million (if the entity is a corporation).
What steps should I now take?
While the amendments have been passed, they are not yet operational. This gives regulated entities some time to brush up on their risk management policies and procedures concerning data breaches.
Clearly, the best way of avoiding the potential embarrassment of notifying a data breach is to prevent the breach from occurring in the first place.
Regulated entities are already under a statutory obligation to destroy or de-identify personal information when that information is no longer needed. Therefore, auditing and sanitizing personal information held by a regulated entity that it no longer needs removes the risk of that personal information being exposed in a data breach.
It is also advisable for entities to review and update their data security and privacy policies and procedures. This will almost certainly require attention at the boardroom and senior executive level, in order to embed the need for strong data security into the entity's culture.
Critically reviewing existing supplier arrangements to understand whether and (if so) to what extent suppliers are currently bound to report and handle potential data breaches.
Although it is impossible to come up with a "one size fits all" approach to data breach notification, laying the groundwork for an action plan to implement if and when a data breach is suspected or detected will assist regulated entities comply with their forthcoming statutory obligations.