Australia’s mandatory data breach notification laws will come into effect by 28 February 2018. To best manage the new regime, businesses are encouraged to review their existing information security and privacy policies and procedures.
A key focus of any organisation’s review of procedures and policies should be to consider the pre-existing obligations already imposed on them by the in-force Privacy Act and the Australian Privacy Principles (APPs), which provide the foundation for Australia’s breach notification laws.
An incident that triggers the need for a notification under the incoming breach notification laws will not necessarily amount to a breach of other existing obligations under the Privacy Act and the APPs. However any regulatory or third party investigations following a notified breach will almost certainly examine the extent to which a business has complied with the privacy framework as a whole – that is to say, the Privacy Act and the APPs.
Key areas that businesses should consider when preparing for Australia’s breach notification laws
1. Reasonable steps to protect personal information: A centrepiece of Australia’s privacy laws is APP 11, which requires entities holding personal information to take reasonable steps to protect that information from misuse, interference and loss, and from unauthorised access, modification or disclosure. The breach notification laws use the terminology found in APP 11, with reference to 'unauthorised access,' 'unauthorised disclosure' or 'loss of' personal information also forming elements of what constitutes an ‘eligible data breach’ under the incoming breach notification laws . Businesses should consider the practices and procedures they have in place to protect against:
- virtual and physical unauthorised access to personal information;
- the accidental or inadvertent loss of personal information; and
- the unauthorised disclosure of personal information.
Businesses should also ensure they destroy or de-identify information they no longer need to hold in accordance with APP 11.2.
2. Practices and procedures by third party providers to protect information: Many publicised data breaches have been facilitated through the systems of a compromised third party provider. These attacks can be particularly difficult to identify as they can appear to be legitimate access through the compromised third party system. Many businesses are opting to outsource some or all of their data storage and processing requirements to third party providers, both locally and internationally.
The requirement under APP 11 for an entity to take reasonable steps to protect information from misuse applies to information held on its behalf by third party providers. APP 8 requires an entity intending to disclose personal information to an overseas recipient (for example, an overseas cloud provider) to take reasonable steps to ensure the recipient does not breach the APPs. The breach notification laws also require an entity to notify an eligible data breach by a third party where it involves personal information held on the entity's behalf. This reinforces the obligations within APP 8 and organisations should consider how their third party providers also protect personal information, including the practices and procedures for protecting data, reporting incidents and managing incident response.
3. Confirm the reason you are holding personal information: The purpose for collecting and holding personal information is critical. APP 6 requires that personal information be collected and held for a particular purpose and not be used for another purpose, unless an exception exists under the Privacy Act. Given the nature of data breaches to be notified under the breach notification laws, entities should also carefully consider whether they remain compliant with APP 6 where a breach incident occurs, and what steps should be taken post breach to reduce the risk of breaching APP 6.
4. The investigative powers of the OAIC: Under the Privacy Act, the Office of the Australian Information Commissioner (OAIC) has the power to initiate an investigation into complaints alleging interference with the privacy of the individual (including by way of a data breach). The OAIC can also initiate an investigation when itconsiders an act or practice could interfere with the privacy of an individual or should otherwise be investigated, for example, because it may highlight a systemic issue that may compromise data privacy. The OAIC may carefully consider initiating investigations where it appears an entity has not properly assessed a suspected eligible data breach, or failed to comply with the breach notification laws.
The OAIC can carry out investigations in such manner as the Commissioner sees fit and has a range of powers, including the power to examine witnesses and compel production of documents. The OAIC has the power to make formal determinations, declarations (including remedial steps an entity must take), award compensation and can also impose significant civil penalties of up to 2000 penalty units and seek enforceable undertakings.