Earlier this month, the Australian senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 after five years of deliberation and uncertainty. This means that it will soon be mandatory for certain businesses to notify the Privacy Commissioner and affected customers of ‘eligible’ data breaches.
Timothy Pilgrim, the Australian Privacy and Information Commissioner, stated: "The new scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches. It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information."
Who do the laws apply to?
The provisions apply to organisations and government agencies already governed under the Privacy Act – including businesses with an annual turnover of more than $3 million as well as businesses that handle personal information.
What is an ‘eligible’ data breach?
A data breach can arise where there has been:
"Unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals)"; OR
Where personal information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.
According to the explanatory memorandum, such a breach will be an ‘eligible’ data breach "where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure (assuming, in the case of loss of information, that the access or disclosure occurred)."
There are some key words here that need to be unpacked:
"Unauthorised access/disclosure" includes malicious breaches (i.e. hacking) as well as unauthorised access/disclosure due to negligence.
"Personal information" can include medical records, bank account details, photos and videos, tax file number information, credit details, and details about an individual’s personal preferences and occupational history.
"Likely" means "more probable than not" (see paragraph 11 of the Explanatory Memorandum).
"Reasonable person" refers an objective standard of a "reasonable person", as distinct from a subjective standard that would be based on what the business themselves believes to be likely. This means that a "reasonable person" must be satisfied that the risk of serious harm is "likely" (i.e. more probable than not).
"Serious harm" could "include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach" (see paragraph 8 of the Explanatory Memorandum).
It will not be sufficient for an affected individual to be distressed by the breach, unless their distress is accompanied by some form of serious harm.
The Explanatory Memorandum notes that the risk of serious financial, economic or physical harm are likely to be the most common types of harm that give rise to notification, but also notes that an eligible data breach involving ‘sensitive information’ such as health information is also likely to result in serious psychological, emotional, or reputation harm.
What is the process of notification?
Entities covered under the Privacy Act must notify the Privacy Commissioner and affected individuals "as soon as practicable" after becoming aware of an eligible data breach.
The notification must include:
- The identity and contact details of the organisation that has experienced the breach
- A description of the eligible data breach and the type of information concerned
- Recommended steps for affected customers to take in response to the breach
The organisation must take "reasonable steps" to inform affected individuals of the breach, and are encouraged to do this via their usual communication methods so that customers are less likely to dismiss the notification as a scam. Depending on the practicability of notification, the organisation may also be required to publish the notification on their website or elsewhere.
Where organisations become aware of a suspected eligible data breach, they must perform an assessment within 30 days to determine whether a breach has actually occurred.
These obligations also apply where "personal information" has been disclosed to foreign recipients.
It is possible that entities will be exempted from notification if they have taken remedial action. This applies where a reasonable person would conclude that, as a result of the remedial action, the breach is not likely to result in serious harm to the affected individuals. The exception also applies "where remedial action has prevented a loss of information from leading to an unauthorised access or disclosure".
The Privacy Commissioner also has a broader discretion to exempt organisations where the Commissioner is satisfied that it is "reasonable in the circumstances to do so", and will likely consider this on a case by case basis.
What are the penalties?
The Privacy Commissioner can apply to the Federal Court or Federal Circuit Court for a civil penalty where there have been serious or repeated breaches of the laws.
An individual could face a penalty of up to $360,000, while organisations can be fined up to $1.8 million.
When does the law come into force?
Having been passed by both Houses of Parliament, the Bill now only needs to receive royal assent from the Governor-General (a formality) before it becomes law. The law will then come into force within 12 months unless the government chooses an earlier date of commencement.
What should you be doing now?
Organisations currently governed by the Privacy Act (and those which are likely to fall within its ambit in the near future) should review their data security practices as soon as possible and "continue to take reasonable steps to make sure personal information is held securely – including being equipped with a clear response plan in the event of a data breach", according to the Commissioner.
The Office of the Australian Information Commissioner will be providing additional guidance over the next 12 months, including events, and updated guidelines on data breach notifications and developing a data breach response plan.
If you have any questions about your data security practices, please do not hesitate to contact Dianne Gibert, Managing Director of Service Excellence Consulting Pty Ltd.