What has changed?
With the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) earlier this year, businesses have some time to put systems in place to comply with the notifiable data breaches scheme in Australia. The scheme will commence on 22 February 2018.
Essentially, the scheme requires Australian Privacy Principle (APP) entities to notify any individuals likely to be at risk of serious harm by a data breach.
Do the changes apply to you?
The changes will apply to APP entities. An APP entity can be an agency or organisation, which means it can be a body corporate, a partnership, any other unincorporated association or a trust. The main threshold requirement is an annual turnover of $3 million in the previous financial year, although one can still be an APP entity without meeting that threshold if one provides certain nominated services.
For example, health service providers and entities that hold health information other than in an employee record will be APP entities.
So will any entities that disclose personal information about another individual for a benefit, service or advantage, or provide a benefit, service or advantage to collect personal information about another individual from anyone else, unless they do so with consent or are required or authorised by or under legislation to do so.
Further, contracted service providers for a Commonwealth contract will be APP entities.
What is an eligible data breach?
An eligible data breach takes place where:1
- There is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Thus, not all data breaches are “eligible data breaches”; there is a seriousness threshold in terms of the likely harm to any of the affected individuals. A data breach can range from a sophisticated hack into the computer systems to grab highly confidential and sensitive information, to a low-level employee who leaves his or her iPhone in a bar, where that phone has email access.
When determining whether or not access or disclosure would be likely to result in serious harm, consider whether it would be likely to result in serious harm to any of the individuals to whom the information relates, having regard to:
- The kind of information it is;
- The sensitivity of the information;
- Whether the information is protected by one or more security measures (and the likelihood that any of those security measures could be overcome);
- The persons or kind of persons who have obtained or who could obtain the information;
- Whether a security measure was used to make the information unintelligible or meaningless to those who are not authorised to obtain the information (and whether that technology can be circumvented);
- The nature of the harm; and
- Any other relevant matters.
When must you notify of a data breach?
You must give notification if:
- You have reasonable grounds to believe that an eligible data breach has happened; or
- You are directed to do so by the Privacy Commissioner.
What if you are still unsure about whether what has happened is an eligible data reach?
If there are reasonable grounds to suspect that there may have been an eligible data breach, but you are not sure, then you must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach, and take all reasonable steps to ensure that the assessment is completed within 30 days after you become aware.
How do you provide notice?
You must prepare a statement that complies with the following, and give a copy to the Privacy Commissioner as soon as practicable after you become aware of the breach.
The statement must:
- Set out your identity and contact details;
- Have a description of the eligible data breach;
- Have the kind or kinds of information concerned; and
- Have recommendations about the steps that individuals should take in response to the eligible data breach.
Further, if you think that the breach may have also affected other entities, you should set out those entities and provide contact details.
Then, if doing so is practicable, you must take reasonable steps to provide that statement to each of the individuals to whom the relevant information relates. Alternatively, if it is practicable to provide the statement to each of the individuals who are at risk from the eligible data breach, then you should do that. If neither of those alternatives is practicable, you must publish a copy of the statement on your website and take reasonable steps to publicise the statement.
What penalties can apply?
As noted in the Explanatory Memorandum: “Failure to comply with a data breach notification obligation will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act 1988 (Cth). This will engage the Privacy Commissioner’s existing powers to investigate, make determinations and provide remedies in relation to noncompliance with the Privacy Act. This includes the capacity to undertake Commissioner-initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.”2
The Explanatory Memorandum continues: “This approach will permit the use of less severe sanctions before elevating to a civil penalty. These less severe penalties could include public or personal apologies, compensation payments or enforceable undertakings. A civil penalty would only be applicable where there has been a serious or repeated noncompliance with mandatory notification requirements. Civil penalties would be imposed by the Federal Court or Federal Circuit Court on application by the Privacy Commissioner.”3
At what point has a failure taken place?
Regarding criteria for establishing whether there has been a failure, the legislation only requires that the entity give notice “as soon as practicable after the entity becomes so aware”.4 While there is no clear time frame, one would have failed if one notified at a point in time subsequent to “as soon as practicable”.
Is harm required?
The test is whether a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as result of the unauthorised access or disclosure.
If a reasonable person would not conclude that there is a likely risk of serious harm, then notification would not be required in the first place. It is not an eligible data breach.
If a reasonable person would conclude that the data breach might cause serious harm, but you are not aware of any particular harm at the relevant time, you still need to notify.
In other words, a failure to notify can take place without regard to whether serious harm has in fact resulted. You may be penalised merely for the failure — assuming that a reasonable person would conclude that there is a likely risk of serious harm to the affected individuals.
What should you do prior to 22 February 2018?
The Privacy Commissioner is actively promoting the change, and preparing guidance for businesses to assist with complying with the scheme. Given the Privacy Commissioner will receive notifications of eligible data breaches and handle complaints, conduct investigations and take other regulatory action in instances of noncompliance, its guidance is of enormous value.
However, in the unfortunate event that an eligible data breach occurs, given what is at stake and the urgency with which a business should respond, you should look to preparing a bespoke data breach response plan. For assistance and advice, you should not hesitate to contact the author.
This article was written by Eli Fisher, Senior Associate.
1 Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), s 26WA.
2 Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) at [28].
3 Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) at [29].
4 Above n 1, s 26WK.