On 19 October the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) was introduced into the House of Representatives. At the time of writing the Bill has passed the second reading state in the House of Representatives. If passed, the new law will require entities subject to the Privacy Act 1988 (Cth) to notify data subjects and the Information Commissioner of an "eligible data breach".
Businesses that are subject to the Privacy Act 1988 (Cth) are required to take reasonable steps to protect personal information from misuse, interference and loss, unauthorised access, modification and disclosure under Australian Privacy Principle 11. However, under existing law they are not subject to a mandatory breach notification requirement. The Office of the Australian Information Commissioner (OAIC) has previously issued guidance on handling personal information security breaches which states that "if a data breach creates real risk of serious harm to the individual, the affected individuals should be notified." Compliance with the guidance is not mandatory.
What do you need to know:
1. What is the trigger for the notification requirement?
An eligible data breach requiring notification is triggered when there is an unauthorised access to, unauthorised disclosure, or loss of personal information that a reasonable person would conclude is likely to result in serious harm to the individuals to whom the personal information relates.
2. When do you have to notify?
You must, as soon as practicable after you become “aware that there are reasonable grounds to believe" there has been an eligible data breach, prepare a statement regarding the breach (Statement) and provide it to the Information Commissioner.
3. Who must be notified?
In addition to notifying the Information Commissioner, you must, as soon as practicable after completion of the Statement, notify each individual to whom the personal information relates, or the individuals who are at risk from the eligible data breach. If you cannot do either of these, you must publish a copy of the Statement on its website (if it has one) and otherwise take reasonable steps to publicise the contents of the Statement.
4. Who must do the notifying?
The entity holding the personal information is responsible for notifying the individuals. Where more than one entity holds the same records, if one entity notifies the individuals of the breach the other entities holding the same records are absolved from their responsibility to notify.
5. Are you exempt from notifying?
You will be exempt from notification if:
- you take sufficient remedial action in response to unauthorised access or disclosure of personal information such that the access or disclosure would not likely result in serious harm;
- you take sufficient remedial action in response to loss of personal information such that there is not unauthorised access to or disclosure of the information or any access or disclosure would not likely result in serious harm;
- you are a law enforcement body and your CEO believes on reasonable grounds the disclosure would likely prejudice one or more "enforcement related activities"; or;
- notification would be inconsistent with any Commonwealth law that prohibits or regulates the use or disclosure of information (“secrecy provisions”).
6. How long do I have to prepare for these changes?
The Act will come into effect 12 months after the day on which it receives Royal Assent.
Expectations to eligible data breach events
The Bill includes an exemption from notification for APP entities, credit reporting bodies and credit providers that take remedial action in relation to the access to, disclosure, or loss of information. This exemption will apply upon satisfaction of the objective test as to whether, as a result of the action, a reasonable person would conclude that:
- there is no unauthorised access to or disclosure of the information which has been lost; or
- the access to or disclosure of the information (lost or otherwise) would not be likely to result in serious harm to any of the individuals.
A determination of whether access or disclosure of information would be likely, or not likely, to result in serious harm must contemplate the following matters, in addition to the kind and sensitivity of the information:
- whether the information is protected by a password or other security measure;
- whether that security measure can be easily overcome;
- where encryption is used, the likelihood that any person who has obtained the information has, or is likely to have, the intention of causing harm to the individuals and is able to circumvent any such encryption; and
- the nature of the harm.
Positive duty to investigate and notify
The Bill introduces a positive obligation on entities that are aware that there are reasonable grounds to suspect they are the subject of an eligible data breach to undertake a reasonable and expeditious assessment of whether there are reasonable grounds to form such suspicion. The entity need not have reasonable grounds to believe that an eligible data breach of the entity has in fact occurred. The entity must take all reasonable steps to ensure the assessment is completed within 30 days of becoming aware that there are reasonable grounds for the suspicion.
If the entity's investigation confirms there are reasonable grounds to believe an eligible data breach has occurred, the entity must prepare and submit a statement to the Information Commissioner as soon as practicable. The statement must include:
- the entity's name and contact details;
- a description of the eligible data breach;
- the kinds of information involved in the breach; and
- recommended steps individuals should take in response to the breach.
If it is practicable to do so, the entity has the discretion to notify the contents of the statement either to:
- each of the individuals to whom the relevant information relates; or
- the individuals who are at risk from the eligible data breach.
If neither of these options are practicable, the general publication option that we saw in the 2015 consultation draft remains, such that the entity must publish the statement with the above information on its website (if it has one) and otherwise take reasonable steps to publicise its content.
New exemptions of the notification requirements
The Bill also provides that entities may apply to the Information Commissioner for a declaration that the notification requirement does not apply as a whole, or that the notification requirement be deferred for a specified period of time. It is notable that the notification requirement does not apply while the Information Commissioner is considering an application of that kind. In addition, there is no time limit in which the Information Commissioner has to determine any such application. Accordingly, the notification requirements could, in theory, be suspended indefinitely while a decision is outstanding.
To avoid duplication of applications, an entity is prevented from making an application for an exemption where another entity has already made an application in respect of the same eligible data breach. When determining whether to grant a declaration for exemption or deferral, the Information Commissioner will have regard to:
- the public interest;
- any relevant advice given to it by, without limitation, an enforcement body or the Australian Signals Directorate of the Defence Department; and
- any other matters that the Information Commissioner considers relevant.
This inevitably gives the Information Commissioner a broad set of considerations when determining whether to grant a declaration. The Information Commissioner has retained its right to direct entities to notify eligible data breaches, as contemplated by the 2015 consultation draft. However the Commissioner must now consult with the entity first before issuing any such direction.
2016 Bill versus 2015 consultation draft
There are several noteworthy differences to the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the consultation draft), which was released in December 2015. Click here to view our summary of the Bill. It is clear that the Government has carefully considered the 47 submissions made by the industry and stakeholders in response to the consultation draft.
They key differences between the Bill and its predecessors are:
- The key phrase "eligible data breach" is less emotive than "serious data breach" previously used. This change has been made to address stakeholders concerns that a notification may cause unnecessary alarm and/or damage to reputation.
- The reference to a "likely risk" of serious harm is a significant change from the consultation draft's requirement for a "real risk" of serious harm. According to the Explanatory Memorandum (EM) this change reflects the Government's response to stakeholder concerns about "the practicability of determining what degree of probability and what kind of harm would be captured in the phrase ‘real risk of serious harm’." Notification will instead be required upon satisfaction of the objective test as to whether a reasonable person would conclude that an eligible data breach holds a likely risk of serious harm.
- While there are no specific categories of harm prescribed by the Bill as there was in the consultation draft, the EM maintains the position that relevant harm may include emotional and psychological harm in serious cases. The EM says states the intention is that notification is not required unless "a reasonable person in the entity's position would consider that the likely consequences for those [the relevant] individuals would constitute a form of serious harm".
- In circumstances where entities jointly and simultaneously hold the same records, the requirement that only one entity need notify is a significant departure from the consultation draft's requirement for multiple notices. It will be a matter for the entities concerned to determine which entity makes the notification and it remains to be seen how this will play out in practice for joint venture and shared service arrangements.
If the Bill is passed, the mandatory notification scheme will be subject to the Privacy Act's existing enforcement framework, which entitles the Information Commissioner to apply to a court to impose a civil penalty in the case of repeated non-compliance. Businesses should therefore be wary of shirking their regulatory responsibility to notify.
The introduction of mandatory data breach notification into Australian law will raise the stakes associated with effective data security. The requirement to notify the Information Commissioner and customers if personal information is compromised may cause brand damage and have other serious business consequences.
A prudent response to this new law would include a review of information handling practices and security governance within your organisation. Please do not hesitate to contact us for advice or assistance in this regard.