In recent times, high profile data breaches such as the 2015 Ashley Madison scandal, which saw the names of up to 900,000 Australian users published online, have shown the type of detriment that can be caused when personal information is compromised by a data breach. Even icons of the Australian retail sector such as Kmart and David Jones have had customer data lost to hackers in 2015. One year prior, Optus reported three (3) separate data breaches, with the security of the personal information of over 300,000 of its customers being compromised. These are just a few instances which highlight the magnitude of the issue in Australia.
Breach notices to become mandatory
On 19 October 2016 Parliament introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Bill) to provide for mandatory notification of data breaches to better equip individuals at risk of a serious breach. The Bill’s notification requirements are intended to give more timely opportunities to take personal action in changing their passwords and other information before their personal information can further be compromised. It is also anticipated that the mandatory notification requirement will provide entities with a strong incentive to improve security standards relating to personal information.
The Bill once enacted will insert new sections 26WA – 26WT into the Privacy Act 1988 (Cth) (Act) that will make data breach notifications mandatory for entities currently regulated by the Act. Entities currently regulated by the Act are defined in section 6C and section 6D as entities with an annual turnover of $3 million or more, or certain small business that provide a health service, are a credit reporting body, or trade in personal information.
What is a data breach?
A data breach (Data Breach) has been defined by the Office of the Australian Information Commissioner (OIC) in its “Guide to developing a data breach response plan” as occurring when “personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure or other misuse”.
Broadly, a Data Breach can be described as an interference with the privacy of an individual. The Bill defines an eligible Data Breach in new section 26WE of the Act as occurring when:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
What steps must be taken when there has been a suspected Data Breach?
Under the Bill, if there are reasonable grounds to believe that there may have been an eligible Data Breach, new section 26WH of the Act requires an eligible entity to:
- carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that there has been a Data Breach; and
- take all reasonable steps to have the assessment completed within 30 days after the entity becomes aware of the suspected Data Breach.
Under new section 26WF of the Act, if there has been an unauthorised access to, unauthorised disclosure of, or loss of information that a reasonable person would consider is likely to cause serious harm to any individuals to which the information relates, an entity may take steps to remedy the breach.
If the unauthorised access or disclosure of the information occurs and the entity:
- takes action before the unauthorised access or disclosure results in serious harm to any of the individuals in which the information relates; and
- as a result of that action, a reasonable person could conclude that it is unlikely that serious harm will result to the individuals to which the information relates, a breach may be avoided, and the individual to which the information relates, will not be required to be notified of the contents of a statement relating to the unauthorised access or disclosure (Statement).
If information is lost and the entity:
- takes action in relation to the loss before there is an unauthorised access to or unauthorised disclosure of the information, the loss will not result in a data breach.
- takes action in relation to the loss after there is an unauthorised access to or unauthorised disclosure of the information, before that unauthorised access or disclosure results in serious harm to any of the individuals in which the information relates, and a reasonable person would consider that it is unlikely that serious harm would result, the loss will not result in a Data Breach, and the entity will not be required to notify the individuals to which the information relates the contents of a statement that relates to the loss.
When is it proposed that a Statement and notification is required?
If the entity becomes aware of reasonable grounds to believe that there has been a Data Breach, new section 26WK of the Act states that the entity must prepare a Statement and provide it to the Commissioner as soon as practicable after the entity becomes so aware.
If the circumstances have arisen that the entity has prepared a Statement to the Commissioner, the entity will also be required under new section 26WL of the Act, as far as reasonably practicable, and as soon as practical after preparing the Statement, to:
- take steps that are reasonable in the circumstances to notify the individuals in which the breach of information relates, the contents of the Statement; or
- take steps that are reasonable in the circumstances to notify the individuals who are at risk from the eligible Data Breach as to the contents of the Statement relating to such eligible data breach.
The entity should notify the individuals in which the information relates through the methods that are usually used to communicate with those individuals. If neither of these situations apply, the entity must:
- publish a copy of the Statement on the entity’s website (if any); and
- take reasonable steps to publicise the contents of the Statement.
The exceptions to notification stated in new sections 26WM – 26WQ of the Act include:
- if the entity is an enforcement body and compliance with notification would result in prejudice to its operations;
- if notification would be inconsistent with secrecy provisions of the Commonwealth; or
- the Commission declares by written notice that the notification requirements to not apply.
How to minimise the risk of a serious breach
According to the Bill, certain preventive measures can be taken by an entity to reduce the risk of a breach being a serious breach, these include:
- protecting the information by one or more security measures that are not likely to be overcome;
- using a security technology or methodology designed to make the information unintelligible or meaningless to persons not authorised to obtain the information; and
- ensuring that if the unauthorised information was obtained, it would be unlikely that the unauthorised persons would also be able to obtain information or knowledge required to circumvent the security technology or methodology.
Information Commissioner’s powers to investigate Data Breaches
Under new section 26WR of the Act, the Commissioner has the power to direct an entity to notify affected individuals of an eligible Data Breach if they are aware of reasonable grounds on which to believe that there has been an eligible Data Breach. However, the Commissioner does not have to power to direct entities on the form of the notification. This limitation is in response to concerns by industry groups that a general public notification poses the potential for serious and costly reputational damage.
If an entity fails to satisfy a direction to notify, the Commissioner may exercise its existing powers under the Act to investigate, make determinations and provide remedies in relation to non-compliance.
Links and further references
Related articles by Dundas Lawyers
A new guide for dealing with Data Breaches – published as at 30 April 2012.
If you need advice on Data Breaches or implications associated with your organisations compliance with the Privacy Act 1988 (Cth), contact us for a confidential and obligation free discussion:
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
Telephone: (07) 3221 0013 | Mobile: 0419 726 535
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice shoudl be obtained to ascertain how the law applies to your particular circumstances.