UPDATE: On 22 February 2018 amendments to the Privacy Act 1988 (Cth) took effect to introduce a mandatory notification procedure for eligible data breaches.
This month at Business Breakfast Club, we discussed the changes to the Privacy Act to introduce a mandatory notification procedure for eligible data breaches. In particular, we focused on people’s obligations around handling personal information and identified recommended next steps to prevent unauthorised disclosure or loss of personal information. BAL Director, Katie Innes shared some of her insights on the new responsibilities surrounding information and Privacy law. Katie touched on:
What is an eligible data breach:
- unauthorised access or disclosure of information that a reasonable person would conclude is likely to result in serious harm to any individuals to whom the information relates; or
- information that is lost in circumstances where unauthorised access or disclosure of information is likely to occur and it can be reasonably concluded that such an outcome would result in serious harm to any of the individuals to whom the information relates.
How and when is notification given?
Notification relating to an eligible data breach can be a written statement to the individuals affected by the breach and the Office of the Australian Information Commissioner and must include:
- a description of what occurred;
- the kinds of information concerned; and
- the recommended next steps that individuals affected should take in response to the data breach.
In certain circumstances, the Commissioner may declare that notification and a written statement about the eligible data breach is not necessary. The Commissioner may make this determination having regard to factors such as the public interest, any advice that has been given to the Commissioner by an enforcement body or any other matters the Commissioner considers relevant.
When will it not be an eligible data breach?
- You “take action” in relation to the access or disclosure before any serious harm and, as a result of the action, a reasonable person would conclude the access or disclosure will not be likely to result in any serious harm; or
- You “take action” in relation to any loss of information before any unauthorised access or disclosure and, as a result of the action, there is no unauthorised access or disclosure; or
- You “take action” in relation to any loss of information after unauthorised access or disclosure but before any serious harm and, as a result of the action, a reasonable person would conclude the access or disclosure will not be likely to result in any serious harm.
If you follow one of the above steps, then you may not be required to notify the individual affected by the data breach.
What if the personal information is held by more than one entity?
Where the breach has occurred by one or more other entities, only one entity is required to undertake the process of investigation and notification. Essentially, compliance by one is compliance by all. You will need to determine how to allocate responsibility for compliance, and establish who has the most direct relationship with the individuals at risk to take the lead in investigation. Failure to abide by the investigation and notification regime will be an ‘interference with an individual’s privacy’ and therefore a breach of the Privacy Act.
If the affected individuals are not satisfied with the investigation and notification process conducted by the entity then the individuals can lodge an internal complaint.
Q: What if the personal information is held by more than one entity?
A. Where the breach has occurred by one or more other entities, only one entity is required to undertake the process of investigation and notification. Essentially, compliance by one is compliance by all. You will need to determine how to allocate responsibility for compliance, and establish who has the most direct relationship with the individuals at risk to take the lead in investigation.
Q. Can mailing lists be used for purposes other than what they were initially gathered for?
A. In certain circumstances, yes. Organisations that hold personal information about an individual can only use or disclose the information for the purpose or purposes for which it was collected (known as the ‘primary purpose’ of collection). However you can use the information for a ‘secondary purpose’ if:
(a) the individual has consented; or
(b) the individual would reasonably expect you to use the information for the secondary purpose and the secondary purpose is:
(i) directly related to the primary purpose (if it is sensitive information); or
(ii) related to the primary purpose (if it is any other personal information).
(c) the use or disclosure is required by law or a Court; or
(d) a general permitted situation exists.
In respect of mailing lists, individuals have the right to update their preferences, by asking the organisation to correct their information or “opt out” of the mailing list entirely.
Q. Do the changes to the Privacy Act affect requests for files for workers compensation, when the injured employee’s lawyer requests personal and workers compensation files?
A. No. The recent changes to the Privacy Act focus on the obligation to notify the OAIC or the individuals affected if there is an “eligible data breach”. Individuals remain entitled to access their own personal information through Australian Privacy Principle 12 (and could exercise that right through a lawyer).
If the organisation disclosed information to a third party (without consent or without the legislative obligation to) then it could be considered a data breach and, depending on the potential risk to the individual affected, may be an eligible data breach.
The Business Breakfast Club is held on the second Friday of each month, the next one is on 13 April.