PRIVACY AMENDMENT (NOTIFIABLE DATA BREACHES ) ACT 2017
This Act is an amendment to the Privacy Act 1988 (Cth).
Its purpose is to introduce mandatory data breach notification requirements for agencies, organisations and other entities which are regulated by the Privacy Act 1988 (Cth). This is in recognition of the increasing amounts of personal information stored by entities electronically, and the growing risk of security breaches leading to identity theft or fraud.
The introduction of these notification requirements will better enable individuals effected by data breaches to take steps to lessen the impact of the breach on them.
The notification requirements introduced by this act applies to entities regulated under the Privacy Act 1988 (Cth).
In particular, these new provisions will apply to bodies called “APP entities”. According to the Privacy Act 1988 (Cth) an APP entity is either an “agency or organisation.”
a. An “Agency,” as defined under section 6(1) Privacy Act 1988 (Cth), is effectively any Commonwealth Government body, or Commonwealth Government associated body
b. An “Organisation,” as defined under section 6C Privacy Act 1988 (Cth), includes;
i. An individual
ii. A body corporate
iii. A partnership
iv. Any unincorporated association
v. A trust
However, none of the above are considered organisations where they are also a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory
In respect of the first of these exceptions, as per section 6D Privacy Act 1988 (Cth), a small business is a business which had a turnover of less than $3,000,000 in the previous financial year. A small business operator is an individual, body corporate, partnership, unincorporated association or trust that exclusively carries on one or more small businesses.
i. There is an authorised access or disclosure of information; and
ii. A reasonable person believes this disclosure would seriously harm the person that information relates to.
b) The information is lost in circumstances where;
i. Unauthorised access or disclosure is likely to occur; and
ii. A reasonable person believes that this disclosure would seriously harm the person that information relates to.
c) This is an of the APP entity, credit reporting body (a body or business which collects, hold, uses and discloses personal information about individuals to provide an entity with information about the creditworthiness of individuals), credit provider (broadly speaking a body which provides credit, e.g. a bank, a retail business that issues credit cards, etc.) or file number recipient (any person who possess a record that contains tax file number information); and
d) An individual who would be harmed as a result of this data disclosure (see section 26WE(2)(a)-(b) Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)) is from said eligible date breach.
When determining what constitutes an eligible date breach the Court will take a very forgiving and broad interpretation of what conduct will qualify as such.
Moreover, this criteria is governed by an objective test, meaning that in deciding whether it is likely that either harm will occur as a result of a disclosure, or whether such a disclosure is likely, the matter will be decided according to what a reasonable and average person would conclude. Not what an individual involved in the breach would personally think.
However, under section 26WF(1)-(5) Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) where an APP Entity, credit reporting body, credit provider or file number recipient;
a) Takes remedial action ( phrase which is not defined, but according to the explanatory memorandum would include conduct such as freezing accounts, and ensuring that information accidentally disclosed is either returned or destroyed) which prevents serious harm arising from the access or disclosure of information, or a loss of information; and
b) As a result of the action, a reasonable person would conclude that the access or disclosure, or loss of information is not likely to result in serious harm to the relevant individuals
Then no eligible data breach is taken to have happened, and the APP Entity, etc. is not required to take steps to notify the individual of the access or disclosure.
This section does not explicitly require that the APP Entity, etc. take remedial action to lessen or prevent the harm, only that if they successfully do so, no eligible data breach is taken to have occurred.
However, a failure to take remedial action would likely result in a finding of an eligible data breach against the APP Entity, etc, which would engage the Privacy Commissioner’s existing powers to undertake investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy. In a worst-case scenario, serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.
In determining serious harm, s 26WG Privacy Amendment (Notifiable Date Breaches) Act 2017 (Cth) provides a wide variety of factors which may be considered. These are;
The kind or kinds of information;
The sensitivity of the information;
Whether the information is protected by security measures;
The likelihood that any of these security measures could be overcome;
The person who have obtained, or could obtain, the information;
If a security technology or methodology -
Was it used in relation to the information; and
Was it designed to make the information unintelligible or meaningless to persons not authorised to obtain the information;
The likelihood that persons who -
Have, or could, obtain the information; and
Have or are likely to have, the intention of causing harm to any of the individuals to whom the information relates;
Have obtained, or could obtain, information required to circumvent the security technology.
The nature of the harm; and
Any other relevant matters.
Under s 26WH Privacy Amendment (Notifiable Date Breaches) Act 2017 (Cth), irrespective of whether the entity was or was not aware that there were reasonable grounds to suspect or believe an eligible data breach has occurred, the entity nevertheless carry out a “reasonable and expeditious assessment” to determine whether the relevant circumstances amount to an eligible data breach.
A “reasonable and expeditious assessment” is not defined within the act. While the explanatory memorandum effectively only notes that the assessment should be limited to matters reasonably likely to be relevant given the circumstances, and be conducted as promptly and efficiently as is practicable. Moreover, it is noted that any assessment is held to vary considerably due to circumstances.
However, the Office of the Australian Information Consumer (OAIC) suggests in its September 2017 article Assessing a Suspected Data Breach, a possible three stage process;
1. Initiate: Decide whether an assessment is necessary and identify which people will be responsible for it.
2. Investigate: Quickly gather relevant information about the breach, e.g. what personal information is affected, who had access to this, and the likely impacts of such information.
3. Evaluate: Make a decision whether the breach in question would constitute an eligible data breach.
Under section 26WK Privacy Amendment (Notifiable Date Breaches) Act 2017 (Cth), where the entity is aware of reasonable grounds to believe there has been an eligible data breach, they create a statement detailing the nature of the eligible data breach as and give it to the Commissioner.
Under section 26WL Privacy Amendment (Notifiable Date Breaches) Act 2017 (Cth), and following on from the above, the entity , and taking such steps as are reasonable in the circumstances; Notify the contents of the statement to each of the individuals to whom the information relates, or who is at risk from the eligible data breach.
If neither of the above alternative apply, the entity must;
Publish a copy of the statement on the entity’s website; and
Take reasonable steps to publicise the contents of the statement.
The act outlines a variety of exceptions to these notification requirements. These include;
a) Under section 26WN Privacy Amendment (Notifiable Date Breaches) Act 2017 (Cth), if;
An entity is an enforcement body (which under the Privacy Act 1988 (Cth) includes most police and investigative forces, border security agencies and economic regulators); and
The CEO of said body believes there has been an eligible data breach; and
The CEO believes compliance with s 26WL would likely prejudice enforcement related activities conducted by the entity.
b) The entity is not required to notify impacted individuals or publicly notify the community of the eligible data breach.
c) Under s 26WP Privacy Amendment (Notifiable Date Breaches) Act 2017 (Cth), where;
providing a statement of an eligible data breach to the commissioner (as under s 26WK)
notifying either impacted individuals, or the general public of an eligible date breach (as under s 26WL).
d) Would be inconsistent with a secrecy provision, these notification requirements do not apply to the extent of the inconsistency.
e) Under s 26WQ Privacy Amendment (Notifiable Date Breaches) Act 2017 (Cth), if the Commissioner is aware or informed that there are reasonable grounds to believe that an eligible data breach has occurred, the Commissioner may declare;
That sections 26WK and 26WL do not apply to said eligible data breach.
That the requirement to notify impacted individuals under s 26WL need be completed in a period specified within the Commissioner’s declaration.
f) Furthermore, an entity may apply to the Commissioner for such a declaration in relation to a data breach of its own. Until the Commissioner makes a decision about this application, sections 26WK and 26WL do not apply to the entity in respect of their eligible data breach.
Under section 26WR Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), if the Commissioner is aware that there are reasonable grounds to believe there has been an eligible data breach, the Commissioner may give direct the entity to;
Prepare a statement for the Commissioner about the eligible data breach, similar to section 26WK.
Notify impact people of the eligible data breach in a manner similar to section 26WL.
The entity need only comply “if it is practicable” to do so, and failing that, need only publicly announce the eligible data breach;
On the entity’s website; and
Take reasonable steps to publicise the contents of the statement.
The act outlines a variety of exceptions to the above requirements, these include;
Under section 26WS Privacy Amendment (Notifiable Date Breaches) Act 2017 (Cth), an entity need not supply a statement of an eligible data breach to the Commissioner if;
The entity is an enforcement body; and
The entity’s CEO believes on reasonable grounds that compliance with the direction would likely prejudice the enforcement body’s activities
Under section 26WT Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), where supplying to the Commissioner a statement about the eligible data breach, or notifying impacted individuals of the eligible data breach, would be inconsistent with a secrecy provision (i.e. any law of the Commonwealth which prohibits or regulates the disclosure of information), such directions do not apply to the extent of the inconsistency.
This article is intended only to provide a summary of the subject matter covered. It does not purport to be comprehensive or to render legal advice. No reader should act on the basis of any matter contained in this article without first obtaining specific professional advice.
DISCLAIMER: We accept no responsibility for any action taken after reading this article. It is intended as a guide only and is not a substitute for the expert legal advice you can get from De Marco Lawyers and other relevant experts.