| Brisbane:+61 7 3221 0013 | Gold Coast:+61 7 5646 9174

1300 386 529 | Australia

Privacy law

Data Breach Bill 2016 – considerations for data security

HomeBlogTechnology lawInternet lawData Breach Bill 2016 – considerations for data security

by

Dundas Lawyers

reviewed by

Malcolm Burrows

Updated 4 April 2017

In recent times, high profile data breaches such as the 2015 Ashley Madison scandal, which saw the names of up to 900,000 Australian users published online, have shown the type of detriment that can be caused when personal information is compromised by a data breach.  Even icons of the Australian retail sector such as Kmart and David Jones have had customer data lost to hackers in 2015.  One year prior, Optus reported three (3) separate data breaches, with the security of the personal information of over 300,000 of its customers being compromised.  These are just a few instances which highlight the magnitude of the issue in Australia.

Breach notices to become mandatory

On 22 February 2017 the Privacy Amendment (Notifiable Data Breaches) Bill 2016  (Bill) received Royal Assent.  The Bill provides for mandatory notification of data breaches to better equip individuals at risk of a serious breach.  These notification requirements are intended to give more timely opportunities to take personal action in changing their passwords and other information before their personal information can further be compromised. It is also anticipated that the mandatory notification requirement will provide entities with a strong incentive to improve security standards relating to personal information.

From 23 February 2018 new sections 26WA – 26WT will be inserted into the Privacy Act 1988 (Cth) (Act) to make data breach notifications mandatory for entities currently regulated by the Act.  Entities currently regulated by the Act are defined in section 6C and section 6D as entities with an annual turnover of $3 million or more, or certain small business that provide a health service, are a credit reporting body, or trade in personal information.

What is a data breach?

A data breach (Data Breach) has been defined by the Office of the Australian Information Commissioner (OIC)  in its “Guide to developing a data breach response plan” as occurring when “personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure or other misuse”.

Broadly, a Data Breach can be described as an interference with the privacy of an individual.  An eligible Data Breach in defined in new section 26WE of the Act as occurring when:

  • there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
  • the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

What steps must be taken when there has been a suspected Data Breach?

Under the amended Act, if there are reasonable grounds to believe that there may have been an eligible Data Breach, new section 26WH of the Act requires an eligible entity to:

  • carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that there has been a Data Breach; and
  • take all reasonable steps to have the assessment completed within 30 days after the entity becomes aware of the suspected Data Breach.

Remedial action

Under new section 26WF of the Act, if there has been an unauthorised access to, unauthorised disclosure of, or loss of information that a reasonable person would consider is likely to cause serious harm to any individuals to which the information relates, an entity may take steps to remedy the breach.

If the unauthorised access or disclosure of the information occurs and the entity:

  • takes action before the unauthorised access or disclosure results in serious harm to any of the individuals in which the information relates; and
  • as a result of that action, a reasonable person could conclude that it is unlikely that serious harm will result to the individuals to which the information relates, a breach may be avoided, and the individual to which the information relates, will not be required to be notified of the contents of a statement relating to the unauthorised access or disclosure (Statement).

If information is lost and the entity:

  • takes action in relation to the loss before there is an unauthorised access to or unauthorised disclosure of the information, the loss will not result in a data breach.
  • takes action in relation to the loss after there is an unauthorised access to or unauthorised disclosure of the information, before that unauthorised access or disclosure results in serious harm to any of the individuals in which the information relates, and a reasonable person would consider that it is unlikely that serious harm would result, the loss will not result in a Data Breach, and the entity will not be required to notify the individuals to which the information relates the contents of a statement that relates to the loss.

When is it proposed that a Statement and notification is required?

If the entity becomes aware of reasonable grounds to believe that there has been a Data Breach, new section 26WK of the Act states that the entity must prepare a Statement and provide it to the Commissioner as soon as practicable after the entity becomes so aware.

If the circumstances have arisen that the entity has prepared a Statement to the Commissioner, the entity will also be required under new section 26WL of the Act, as far as reasonably practicable, and as soon as practical after preparing the Statement, to:

  • take steps that are reasonable in the circumstances to notify the individuals in which the breach of information relates, the contents of the Statement; or
  • take steps that are reasonable in the circumstances to notify the individuals who are at risk from the eligible Data Breach as to the contents of the Statement relating to such eligible data breach.

The entity should notify the individuals in which the information relates through the methods that are usually used to communicate with those individuals.  If neither of these situations apply, the entity must:

  • publish a copy of the Statement on the entity’s website (if any); and
  • take reasonable steps to publicise the contents of the Statement.

The exceptions to notification stated in new sections 26WM – 26WQ of the Act include:

  • if the entity is an enforcement body and compliance with notification would result in prejudice to its operations;
  • if notification would be inconsistent with secrecy provisions of the Commonwealth; or
  • the Commission declares by written notice that the notification requirements to not apply.

How to minimise the risk of a serious breach

Certain preventive measures can be taken by an entity to reduce the risk of a breach being a serious breach, these include:

  • protecting the information by one or more security measures that are not likely to be overcome;
  • using a security technology or methodology designed to make the information unintelligible or meaningless to persons not authorised to obtain the information; and
  • ensuring that if the unauthorised information was obtained, it would be unlikely that the unauthorised persons would also be able to obtain information or knowledge required to circumvent the security technology or methodology.

Information Commissioner’s powers to investigate Data Breaches

Under new section 26WR of the Act, the Commissioner has the power to direct an entity to notify affected individuals of an eligible Data Breach if they are aware of reasonable grounds on which to believe that there has been an eligible Data Breach.  However, the Commissioner does not have to power to direct entities on the form of the notification.  This limitation is in response to concerns by industry groups that a general public notification poses the potential for serious and costly reputational damage.

If an entity fails to satisfy a direction to notify, the Commissioner may exercise its existing powers under the Act to investigate, make determinations and provide remedies in relation to non-compliance.

Links and further references

Legislation

Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth)

Other links

Data breach preparation and response – A guide for organisations and agencies to prepare for and respond to data breaches – Office of the Australian Information Commissioner

Guide to securing personal information – Office of the Australian Information Commissioner

ASIC Report 429 – Cyber Resilience: Health Check (March 2015)

Further information about privacy compliance

If you need advice on Data Breaches or implications associated with your organisations compliance with the Privacy Act 1988 (Cth), contact us for a confidential and obligation free discussion:


Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au

Doyles Recommended TMT Lawyer 2024

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

Related insights about privacy compliance

  • Federal parliament passes cyber security laws

    Federal parliament passes cyber security laws

    On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024.  The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.

    Read more …

  • Privacy Act amended to increase penalties up to $50 million

    Privacy Act amended to increase penalties up to $50 million

    The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent.  The Bill was passed with virtually no amendment.

    Read more …

  • New privacy bill to be put before commonwealth parliament

    New privacy bill to be put before commonwealth parliament

    The Federal Government announced on 22 October 2022 that it intends to introduce new legislation to strengthen certain provisions of the Privacy Act 1988 (Cth).  This legislative change was triggered by multiple data breaches that have occurred in the past weeks such as the Optus breach in September this year.  This article discusses the proposed amendments…

    Read more …

  • What should APP Entities include in a data destruction policy?

    What should APP Entities include in a data destruction policy?

    This article summarises the Australian Privacy Principles (APPs) and the importance of having a data destruction policy (DDP) in place. It outlines the steps to take when destroying or deidentifying personal and sensitive information, and the consequences of not doing so.

    Read more …

  • Uber breaches Australian privacy laws

    Uber breaches Australian privacy laws

    This article provides an overview of interesting decisions of Australian Courts in Corporate Law, Technology Law and Intellectual Property. With cases on Trade Marks, Copyright, Defamation, Negligence, Joint Ventures and Confidential Information, it is an invaluable resource for anyone interested in these areas.

    Read more …

  • Ransomware Payments Bill 2021 (Cth)

    Ransomware Payments Bill 2021 (Cth)

    Australian government proposed the Ransomware Payments Bill 2021 (Cth) (Bill) to enforce mandatory reporting of ransomware payments. Penalties of up to $110,000 for non-compliance.

    Read more …

Posted

in

, , , ,
P: 1300 386529
E: [email protected]
Send this to a friend