The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Breach Notification Act) had Royal assent on 22 February. This means that private sector organisations and Commonwealth Government agencies will have breach reporting obligations that start on Thursday 22 February 2018 (unless the Government chooses to proclaim an earlier commencement). Data breaches which occurred before commencement will not reportable. As with other Commonwealth privacy legislation, some entities are exempt, including small businesses and State government entities (although it does apply to all breaches of tax file number information). The Breach Notification Act introduces mandatory requirements to report harmful data breaches the Australian Information Commissioner, and in most cases to individuals affected by a breach of their personal information.
What is the rationale?
Although the Breach Notification Act applies to loss or theft of physical records also, concerns about data breach are heightened by widespread collection and use of electronic data. The online storage of personal information has become incidental to many commercial enterprises and social networks. The relative ease of transporting and processing electronic data means that individuals can face serious risk if their information is improperly disclosed or is accessed because of an intrusion. The Breach Notification Act aims to protect individuals by requiring that they be informed where there has been a data breach which is likely to result in serious harm. This may allow them to protect themselves from the consequences of the breach.
Until the Breach Notification Act commences, the Office of the Australian Information Commissioner continues to recommend a voluntary reporting scheme.
Importantly, the Breach Notification Act imposes a threshold for breaches that trigger the reporting obligation, so that notice is not required where the risk of harm from a data breach is unlikely. It is expected that this will decrease the impact of this obligation on businesses.
Under what circumstances will reporting a breach be mandatory?
The amendment applies to agencies and organisations who already fall under the Privacy Act, credit reporting bodies, credit providers and recipients of tax file numbers. These entities must report eligible data breaches under the amendment. An eligible data breach occurs where:
- There is unauthorised access, disclosure or loss of personal information; and
- The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and
- Remedial action to prevent that serious harm has not been, or will not be, taken.
Matters to be considered in determining whether ‘serious harm’ is likely include the nature and sensitivity of the information, the security level applied, and the likelihood that the information would be used adversely. As soon as an entity becomes aware of a possible data breach or loss, it must carry out a reasonable and expeditious assessment of whether the situation amounts to an eligible data breach. This must be completed within 30 days of a suspicion arising. Once the entity is aware that there are reasonable grounds to believe that an eligible data breach has occurred, mandatory notification is triggered:
- The entity must prepare a statement, including contact details, the nature of the breach, the kinds of information affected, and what affected individuals might do to mitigate the resulting harm;
- The statement must be provided to the Commissioner as soon as practicable;
- If practicable, reasonable steps must be taken to communicate the statement to all of the individuals whose information has been affected, or all of the individuals at risk of serious harm; and
- If notifying affected individuals is not practicable, the statement must be posted on the entity’s website, and reasonable steps taken to publicise it.
An affected entity is able to apply to the Commissioner for a declaration that a particular breach need not be reported. Some other limited exemptions apply to data breaches by law enforcement agencies or where there is a legislated secrecy obligation. Failure to comply with the obligations in this Act is dealt with under the existing enforcement framework within the Privacy Act. The Commissioner will be able to investigate and make determinations that could require entities to take specified steps within a specific period, or compensate loss or damage suffered by complainants. In serious cases of non-compliance, the Commissioner can apply to the Federal Court for a pecuniary penalty under the ‘serious or repeated interference with privacy’ civil penalty provision.
What needs to be done?
Breach notification will be a legal obligation by 22 February 2018 at the latest. Affected organisations will need to:
- Develop and improve their systems to identify possible data breaches;
- Implement processes to assess whether reporting is required within short timeframes; and
- Implement the process for reporting to affected individuals.
HWL Ebsworth has a national team of dedicated privacy and financial services and regulatory specialists, who regularly advise businesses on their privacy and compliance requirements. If you would like further information on the implications of this new Act and the potential impacts for your business, please feel free to contact a member of our team.
This article was written by Michael Anastas, Partner, James Moore, Partner and Elizabeth Singleton, Trainee Solicitor.