- Following the release of a Discussion Paper in October 2012, the Federal Government has introduced the Privacy Amendment (Privacy Alerts) Bill 2013 in Parliament.
- Under the Bill, entities regulated by the Privacy Act (1988) (Cth) will be required to notify individuals and the Australian Information Commissioner where there has been unauthorised access to, or disclosure of, personal information, or where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure.
- The Commissioner will have the authority to direct an entity to notify of a data breach, and to give an exemption from notification where it is in the public interest to do so.
- Penalties of up to $1.7 million may apply for failure to notify the Commissioner and affected individuals in the event of a data breach.
On 29 May 2013 the Privacy Amendment (Privacy Alerts) Bill 2013 (the Bill) was introduced into Parliament. If passed, the Bill will create a mandatory notification scheme for serious data breaches commencing on 12 March 2014. This date coincides with the commencement of the Australian Privacy Principles (APPs) and other major privacy reforms previously reported.1
Data breaches have been the subject of increased media attention and public scrutiny, for both the government sector and private entities. Typical breach scenarios can involve hacking, theft of equipment or paper files, loss of portable devices, inadvertent online publication and deliberate employee misconduct.
Currently, there is no broad mandatory scheme. The Office of the Australian Information Commissioner’s Data Breach Notification guide is a best practice guide only.2
A mandatory notification scheme was initially recommended in 2008 by the Australian Law Reform Commission in their report, For Your Information: Australian Privacy Law and Practice.3
The Australian Government released a Discussion Paper titled Australian Privacy Breach Notification in October 2012, which discussed the broad public policy advantages in having a mandatory data breach notification scheme, including:
- providing affected individuals with the opportunity to mitigate the consequences of the breach, e.g. to change their passwords or cancel credit cards
- acting as an incentive to organisations to adequately secure or dispose of personal information
- giving the public and Government better information on the scope and frequency of data breaches, and
- maintaining community confidence in statutory privacy protection in Australia.
Who will be subject to mandatory data breach notification law?
All entities currently subject to the Privacy Act 1988 (Cth) (the Act) will be subject to the notification scheme where they would have been subject to particular data security obligations under the Act in relation to the compromised information. Accordingly, exemptions such as those for small businesses and employee records will continue to apply in relation to personal information generally. However, those exemptions will not apply to relevant breaches by credit reporting bodies, credit providers and tax file number recipients.
What will trigger notification?
The notification provisions of the Bill are triggered where there has been unauthorised access to, or disclosure of, personal information, or where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure.
A breach is considered to be a ‘serious data breach’ where it results in a real risk of serious harm to any individual significantly affected by the breach. The type of ‘harm’ is not limited to financial harm, and also includes harm to reputation and economic harm.
As noted in the Explanatory Memorandum for the Bill, the trigger mechanisms would apply to unauthorised access to personal information as a result of ‘a malicious breach of the secure storage and handling of that information (e.g. a hacker attack), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise.’4
Who will decide on whether to notify?
There is an obligation on entities to notify where they believe on reasonable grounds that there has been a serious data breach.
The Australian Information Commissioner (the Commissioner) may give a written exemption to an entity, either on the Commissioner’s own initiative or on application by the entity, where the Commissioner is satisfied it is in the public interest to do so. Once an entity has applied to the Commissioner for an exemption, the entity is not under an obligation to give notification until the Commissioner makes their decision and provides written notice to the entity.
The Commissioner also has the ability to direct an entity to notify of a data breach. The Commissioner’s decision to give an exemption or to direct an entity to notify is a decision which would be reviewable by the Administrative Appeals Tribunal.
What will be reported, and in what time frame?
Where an entity believes on reasonable grounds that there has been a serious data breach (as described above) the entity must, as soon as practicable, prepare a statement that sets out the description of the breach, the kinds of information concerned and recommendations about the steps that individuals should take in response to the breach.
The entity must then provide this statement to the Commissioner and, depending on the circumstances, provide the statement to either the individual concerned or the media directly. The circumstances in which the statement must be provided to the media directly has not yet been decided by the Government, but in the Explanatory Memorandum it is envisaged that this may cover circumstances where it is impossible to notify the individual directly or where an attempt to notify each individual would be ineffective.
What is the penalty for failure to notify?
Where an entity fails to notify affected individuals after a serious data breach, the Commissioner has powers under the Act to investigate, make determinations and provide other remedies. This could include seeking enforceable undertakings and pursuing civil penalties of up to $1.7 million for serious or repeated breaches.
What happens next?
If the Bill is passed, the amendments would come into force on 12 March 2014, at the same time as the Privacy Amendment (Enhancing Privacy Protection) Act 2012.5The Bill provides that the notification provisions will apply to any disclosure, access or loss that occurs after the commencement date.