Two significant developments in Privacy Law reforms in Australia have occurred during Privacy Awareness Week, with the Australian Government announcing it will introduce major legislative reform of the Privacy Act in this year’s winter sitting of Parliament, and the OAIC’s release of updated data breach notification guidelines.
Reforms to Privacy Act to be introduced to Parliament
The greatly anticipated reform of the Privacy Act 1988 (Cth) has edged a step closer to implementation with the Attorney-General announcing that the Government will introduce amendments to the Privacy Act in Parliament later this year. The amendments are the first stage of the Government’s response to the report prepared by the Australian Law Reform Commission (ALRC) in 2008 on the protection of privacy in Australia.
The key changes the reform will propose to the Privacy Act include:
- A single set of Australian Privacy Principles to replace and unify the current National Privacy Principles and Information Privacy Principles. (An exposure draft of these principles was released in June 2010, which we summarised in our Corrs In Brief publication).
- New powers for the Privacy Commissioner to enhance the Commissioner’s ability to resolve complaints, conduct investigations and promote privacy compliance.
- Modernised credit reporting arrangements.
- Strengthened regulation on the use of personal information in direct marketing.
The reforms propose to significantly bolster the powers of the Commissioner to:
- allow the Commissioner to seek a written undertaking, enforceable in Court, that the organisation will take or refrain from a specified action;
- make determinations following an investigation conducted on the Commissioner’s own initiative;
- seek civil penalties for serious or repeated interferences with privacy; and
- conduct performance assessments of private sector organisations handling personal information.
We will continue to watch this space and keep you informed of new developments.
Updated Data Breach Notification Guidelines released
Data security is a critical issue in today’s digital environment given the developments in technology which enable the widespread dissemination of personal information. Several high profile cases have highlighted the ramifications of data security breaches and the concerns about the failure of organisations to notify affected individuals and regulators of data breaches.
The Office of the Australian Information Commissioner (OAIC) has launched its updated Data Breach Notification Guidelines during Privacy Awareness Week.
The Guidelines update the OAIC’s earlier 2008 guide, and provide organisations with general guidance for responding to an event of data breach involving personal information they hold. The Guidelines set out the following general steps for responding to a data breach:
- Contain the breach and do a preliminary assessment.
- Evaluate the risks associated with the breach.
- Consider breach notification.
- Review the incident and take action to prevent future breaches.
The Guidelines recommend that if a data breach creates a real risk of serious harm to an individual, the organisation should directly notify the affected individual as soon as reasonably possible. The Guidelines also strongly recommend that an organisation notifies the OAIC of a data breach if the circumstances of the breach indicate it is appropriate to do so.
The OAIC advocates that notification is good privacy practice because it promotes openness about an organisation’s privacy practices, restores public trust in the organisation and may be considered as a reasonable security safeguard in compliance with the requirements of the Privacy Act.
The Guidelines also highlight the complexities that may arise where the breach involves information held by a third party ‘cloud’ data storage provider that is based outside of Australia. In these circumstances, the OAIC recommends that the organisation with a direct relationship with the affected individuals should be responsible for notification of the data breach.
A sign of things to come?
The ALRC 2008 report recommended that the Privacy Act be amended to include a mandatory requirement for organisations to notify the Privacy Commissioner and affected individuals when personal information is acquired by an unauthorised person which may give rise to a real risk of serious harm to any affected individuals.
Although the Government has not yet responded to this recommendation (this will be considered in the second stage of the Government’s response to the ALRC 2008 report), there is increased pressure on the Government to introduce a mandatory data breach notification requirement in the Privacy Act to reflect practices in other jurisdictions including Europe, the United Kingdom and the United States.
Whilst the Guidelines are still voluntary, the OAIC strongly recommends that organisations follow the steps in the Guidelines. A key message of the Guidelines is to encourage organisations to act now and voluntarily implement a data breach notification procedure while the Government considers reforms to the Privacy Act and the introduction of a mandatory notification scheme.
The release of the Guidelines draws increased attention to implementation of data breach notification practices within an organisation, and is perhaps the strongest indication to date of what a data breach notification scheme would look like should it become a mandatory requirement in the Privacy Act.