Australia’s new data breach notification regime starts today, however are you ready?
While the regime won’t affect all entities, many franchisors (and to a lesser extent, franchisees) will be caught – however may not realise this. Given the serious consequence of failing to comply, it is important to consider if you are caught by these changes and, if so, take immediate steps to mitigate risks.
So what are the changes?
Essentially, the scheme requires Australian Privacy Principle (APP) entities to notify individuals affected by a data breach that is likely to result in serious harm. Such data breaches are also required to be notified to the Office of the Australian Information Commissioner.
Do the changes apply to you?
The changes generally apply to APP entities.
Broadly, APP entities are entities (body corporates, partnership, incorporated associations, trusts) that are subject to the Privacy Act 1988 (Cth) (Privacy Act). A business that has turnover of over $3 million will be subject to the Privacy Act and will automatically be an APP entity. However a business will also be caught if its turnover is under $3 million but it is a related body corporate of an entity with over $3million in turnover.
A franchisor or franchisee could also be an APP entity (and subject to the Privacy Act and the new data breach notification regime) in a variety of other circumstances even if it has turnover under the $3 million threshold, including where it is a health service provider, it trades in personal information (e.g. buying or selling a mailing list or customer database), it is a credit reporting body or a contractor under a Commonwealth contract.
There may also be other circumstances where you may be captured by the regime. If you are not sure whether you are subject to the new data breach regime, we recommend erring on the side of caution and seeking specific advice as to whether the regime will apply to you.
What is an eligible data breach?
In summary, an eligible data breach occurs where:1
- There is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Thus, not all data breaches are “eligible data breaches”; there is a seriousness threshold in terms of the likely harm to any of the affected individuals.
A data breach can range from a sophisticated hack into a computer system to grab highly confidential and sensitive information, to a low-level employee who leaves his or her iPhone in a bar, where that phone has email access. Data breaches also include inadvertent disclosures due to human error, such as sending an email to the incorrect recipient that contains another individual’s personal information.
When determining whether or not access or disclosure would be likely to result in serious harm, regard should be given to:
- The kind of information that has been accessed/disclosed;
- The sensitivity of the information;
- Whether the information is protected by one or more security measures (and the likelihood that any of those security measures could be overcome);
- The persons or kind of persons who have obtained or who could obtain the information;
- Whether a security measure was used to make the information unintelligible or meaningless to those who are not authorised to obtain the information (and whether that technology can be circumvented);
- The nature of the harm; and
- Any other relevant matters.
It is important to remember, when considering harm, that if a reasonable person would conclude that the data breach might cause serious harm, but you are not aware of any particular harm at the relevant time, you still need to notify. Without being exhaustive, if the data breach is likely to result in the following types of harm, notification will be required:
- Financial fraud (such as due to the disclosure of credit card or other financial information);
- Identify theft; or
- Violence or physical harm.
When must you notify a data breach?
You must give notification if:
- You have reasonable grounds to believe that an eligible data breach has occurred; or
- You are directed to do so by the Privacy Commissioner.
Note that if an eligible data breach involves more than one entity, then only one entity needs to notify. Accordingly, it is important for franchisors to consider whether it needs to put procedures and / or contractual mechanisms in place to control how and who will notify in the event of a data breach, including those that impact the franchisor and one or more franchisee entities.
What if you are still unsure about whether what has happened is an eligible data breach?
If there are reasonable grounds to suspect that there may have been an eligible data breach, but you are not sure, then you must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach, and take all reasonable steps to ensure that the assessment is completed within 30 days after you become aware.
Note that the 30 day assessment period only applies if you have a suspicion there has been an eligible data breach. If you are aware that there are reasonable grounds to believe there has been an eligible data breach, you do not receive the 30 day assessment period and must notify immediately.
How do you provide notice?
You must prepare a statement in the form required by the Privacy Act and give a copy of the statement to the Privacy Commissioner as soon as practicable after you become aware of the breach.
Then, if doing so is practicable, you must take reasonable steps to provide that statement to each of the individuals to whom the relevant information relates. Alternatively, if it is practicable to provide the statement to each of the individuals who are at risk from the eligible data breach, then you should do that. If neither of those alternatives is practicable, you must publish a copy of the statement on your website and take reasonable steps to publicise the statement.
What penalties can apply?
Failure to comply with the data breach notification obligations constitutes a breach of the Privacy Act. The Privacy Commissioner has existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. This includes the capacity to undertake Commissioner-initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.
What should you do now?
As a first step, you should consider if you (or any of your related entities) fall within the scope of this regime. In addition, you should consider whether your franchisees do (or could potentially) fall within the scope of this regime.
If you consider that you, any of your related entities or your franchisees may fall within the scope of the regime, it is important to consider the most appropriate means to address risk associated with the new regime. This may include:
- Putting in place a data breach incident response plan for both you and your franchise network;
- Reviewing your franchise agreement to determine your current position on data ownership and potentially preparing amendments to the franchise agreement to clarify each parties’ obligations in the case of a data breach;
- Reviewing any commercial agreements you have in place with entities that hold data on your behalf to clarify each parties’ obligations in the event of a data breach; and
- Preparing applicable updates to operations manuals and communications to franchisees to ensure that they are aware of the new regime and what it means for them.
We have assisted various clients with considering and implementing their response to this new regime and are well placed to consider and assist franchisors with preparing for this regime. If you would like to discuss whether the new regime will apply to you or what you should be doing in light of the changes, please contact any member of our National Franchising Team.
This article was written by Matthew Craven, Partner and Allison McLeod, Partner.
1 Privacy Act 1988 (Cth) s 26WE.