On 22 February 2017, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Act) received royal assent. This legislation amends the Privacy Act 1988 (Cth) (Privacy Act) to introduce a mandatory data breach notification system in Australia (Notification Regime).
Broadly speaking, under the Notification Regime, entities regulated by the Privacy Act will be required to notify impacted individuals and the Office of the Australian Information Commissioner (OAIC) if personal information that the entity holds is subject to a data breach. The passage of the Act is important as, before this Act was introduced, there was no express requirement in the Privacy Act for entities to notify affected individuals and/or the regulator when a data breach occurred.
When does the Act commence?
Although the Act has been passed, it does not take effect until 23 February 2018, unless an earlier date is fixed by Parliament (it is not clear whether this will occur). Importantly, the Act will only apply to data breaches that occur after it has commenced and will not operate retrospectively. In preparation for its commencement, entities should familiarise themselves with the key terms of the Act, which are outlined below.
Who does the Notification Regime apply to?
The Notification Regime will apply to any entity that is currently subject to the Privacy Act. This includes tax file number recipients and “APP entities”. The definition of “APP entity” includes many private sector organisations and most federal government agencies, but generally excludes “small business operators” (i.e. an organisation that carries on business with an annual turnover of $3,000,000 or less per financial year). However, it is important to note that some entities that are “small business operators” will still be regulated by the Privacy Act (e.g. businesses that provide a health service and hold health information other than in an employee record).
Which data breaches must be notified?
Not every data breach will have to be notified. Notification is required only if a reasonable person would conclude that the data breach would be "likely to result in serious harm" to any of the affected individuals. This is referred to in the Act as an “eligible data breach”.
"Serious harm" is not defined in the Act, however the Explanatory Memorandum to the Act states that serious harm is not restricted to economic and financial harm; it could include physical, psychological and emotional harm.
Whether a reasonable person would conclude that serious harm is "likely" depends upon a broad range of factors including the following:
|(a)||the type and sensitivity of personal information – for example, a data breach involving government-issued identifiers (such as passport and driver's licence numbers) or financial details (such as credit card details) might pose a greater risk of harm to the individual than a data breach involving only their name;|
|(b)||the quantity of the personal information compromised - for example, a combination of personal information (name, address and date of birth) typically creates a greater risk of harm than a single piece of information;|
|(c)||the permanence of the personal information compromised - for example, a compromised customer password can be reissued, however information about a person's date of birth or medical history cannot;|
|(d)||the identity of the unauthorised recipient - for example, access by a trusted, known party is less likely to cause serious harm than access by an unknown party, a party suspected of involvement in criminal activity or a party who might misuse the relevant information (such as a person against whom the individual has a restraining order); and|
|(e)||whether the information is protected by any security measures – for example, encryption or password protection and the likelihood that those security measures could be overcome.|
How does the Notification Regime work?
Entities that have reasonable grounds to suspect that an eligible data breach has occurred will be required to carry out a “reasonable and expeditious assessment” of the suspected data breach. The entity will need to take reasonable steps to ensure the assessment is completed within 30 days after it becomes aware of the suspected data breach.
If an entity has reasonable grounds to believe that an eligible data breach has occurred, it must promptly notify the affected individuals and OAIC. This will involve:
|(a)||preparing a statement setting out the entity’s identity and contact details, a description of the breach, the kind of information concerned and recommendations about what the affected individuals should do in response;|
|(b)||giving a copy of the statement to the Australian Information Commissioner;|
|(c)||if practicable, taking reasonable statements to notify the contents of the statement to each individual to whom the relevant information relates, or, if it is not practicable to do so, to the individuals who are "at risk" of serious harm from the breach. An entity might choose to notify a statement under the first option where it would require an unreasonable amount of resources to assess which affected individuals are “at risk” from an eligible data breach and which are not. On the other hand, the second option may be more practicable if an entity is able to ascertain with a high degree of confidence that only some particular individuals are “at risk” from the eligible data breach; and|
|(d)||if neither of the above methods are practicable, the entity must publish the statement on its website and take reasonable steps to publicise its content.|
Are there any exceptions?
There are a number of exceptions to the Notification Regime.
For example, the Notification Regime will not apply where an entity has taken remedial action after the data breach has occurred, and as a result of this remedial action, a reasonable person would conclude that the unauthorised access or disclosure of the information is not likely to result in serious harm.
Other circumstances where notification is not required include where it would be likely to prejudice law enforcement activities, where it is inconsistent with other Commonwealth laws that regulate the use or disclosure of information, or where the Australian Information Commissioner declares that an entity is exempt.
What are the consequences of not complying with the Act?
Failing to comply with the Act would be an "interference with the privacy of an individual", which may amount to a breach of a civil penalty provision of the Privacy Act. The main consequences include the risk of a determination to pay compensation and also the risk of paying civil penalties of an amount up to $1.8 million (for corporations) and $360,000 (for individuals).
It is important that your organisation (if it is regulated by the Privacy Act) is in a position to comply with the Act once it commences. Some of the steps we recommend be taken include:
|(a)||reviewing, and if necessary, updating your privacy policies;|
|(b)||informing your staff about the operation and implication of the Notification Regime;|
|(c)||adopting a formal response plan to data breaches; and|
|(d)||considering any third party arrangements in place, and whether these may be affected by the Notification Regime.|