The Notifiable Data Breaches Scheme applies to entities (APP Entities) that are required to protect personal information pursuant to the Australian Privacy Act 1988 (Cth) (Act). The Act provides that where an eligible data breach (EDB) occurs, APP Entities in control of that information must notify the Office of the Australian Information Commissioner (OAIC) and the individuals who are affected by the EDB.
An EDB arises where there has been unauthorised access, loss or disclosure of personal information by an APP Entity (Unauthorised Disclosure) and such disclosure is likely to cause serious harm[1] to the individuals whose personal information is stored.
An EDB may also occur where data breach was likely to occur and if Data Breach were to occur, it would be likely to result in serious harm.
Where a data breach occurs and the APP is able to take remedial action, it may prevent an EDB from occurring. An example of remedial action steps may include where an employee of an APP Entity leaves her laptop containing employee records in a taxi. The employee then immediately phones tech support, who disables that computer’s access to the network and the records.
Assessing serious harm, requires careful consideration of some key concepts which is the purpose of this article.
What exactly is ‘serious harm’?
Serious harm is not defined in the Act. Therefore, whether an individual is likely to suffer serious harm is an objective test from the perspective of a reasonable person. The OAIC describes a ‘reasonable person’ as:
“a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach.”[2]
‘Reasonable person’ is also discussed in general terms in Chapter B of the OAIC’s APP Guidelines.
The OAIC has issued a guidelines on factors to consider when assessing whether serious harm is likely in the event of a Data Breach.[3] In the context of a Data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm. The Privacy Act provides a non-exhaustive list of ‘relevant matters’ that may assist entities to assess the likelihood of serious harm. These are set out in s 26WG of the Act, and are summarised below.
Types of personal information involved in the data breach
There are various types of personal information that may increase the risk of serious harm if Unauthorised Disclosure occurs:
- ‘sensitive information’, such as information about an individual’s health;
- documents commonly used for identity fraud (including Medicare card, driver licence, and passport details);
- financial information; and
- a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information is about.[4]
The circumstances of the data breach
The specific circumstances of the data breach are relevant when assessing whether there is a risk of serious harm to an individual. This may include a consideration of the following:
- whose personal information was involved in the breach;
- how many individuals were involved;
- how long the information has been accessible; and
- who may have gained unauthorised access to the personal information.[5]
The nature of the harm that may result from the data breach
In assessing whether there has been serious harm, organisations should consider the broad range of potential harms that may follow a data breach. Examples may include:
- identity theft;
- significant financial loss by the individual;
- threats to an individual’s physical safety;
- loss of business or employment opportunities;
- humiliation, damage to reputation or relationships; and
- workplace or social bullying or marginalisation.
The likelihood of a serious harm occurring, as well as the anticipated consequences for individuals whose personal information is involved in the data breach if the harm materialises, are relevant considerations.[6]
Further, it is worth noting that whilst individuals may be distressed or upset at an Unauthorised Disclosure, such a reaction alone is insufficient in and of itself to constitute a EDB.
OAIC observations on serious harm
In its Notifiable Data Breaches Statistics Report the OAIC identified contact information as the most common type of personal information disclosed in data breaches between April and June 2019. The OAIC notes that loss of contact information may not result in immediate or financial harm in the same way that losing credit card information would, for example.
With the above considerations in mind, organisations may recognise that further harm can arise from activities such as phishing and social engineering, tactics which are aided by the use of contact information compromised in a data breach. This highlights how, while serious harm may not immediately result from a particular data breach, the flow on effects of these should be considered in determining any serious harm in future.
Takeaways
Serious harm is not easily defined, and therefore requires consideration of various factors including the types of information involved in the Data Breach, the circumstances surrounding the Data Breach and the nature of the harm that may result from the Data Breach. It is important to note that minor data breaches, while on their face may not seem serious, could have a flow on effect and result in serious harm.
Additionally, it is important for APP Entities to have a data breach response plan in place as part of their risk and compliance measures in the context of internet law. Organisation that are capable of taking swift, remedial action on Unauthorised Access may prevent expensive assessment and notification processes to be undertaken. Preparation for remedial action may also prevent your company finding itself in the embarrassing, and potentially very public, position of notifying its clients that their data has been compromised.
Links and further references
Legislation
Further information about data breaches
If you need assistance with data breaches, please telephone me for an obligation free and confidential discussion.
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
[1] Privacy Act 1988 (Cth) s 26WE(ii).
[2] Office of the Australian Information Commissioner, Data Breach Preparation and Response Guideline, page 33.
[3] Ibid page 33.
[4] Ibid page 34.
[5] Ibid page 35.
[6] Ibid page 36.
Related insights about data breaches
-
Federal parliament passes cyber security laws
On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024. The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.
-
Uber breaches Australian privacy laws
This article provides an overview of interesting decisions of Australian Courts in Corporate Law, Technology Law and Intellectual Property. With cases on Trade Marks, Copyright, Defamation, Negligence, Joint Ventures and Confidential Information, it is an invaluable resource for anyone interested in these areas.
-
Ransomware Payments Bill 2021 (Cth)
Australian government proposed the Ransomware Payments Bill 2021 (Cth) (Bill) to enforce mandatory reporting of ransomware payments. Penalties of up to $110,000 for non-compliance.
-
Data breach compliance and data breach response plans
Dundas Lawyers create tailored data breach response plans to ensure compliance with the Privacy Act 1988 (Cth). Plans include actions, registers, records, tests and tasks. Get an obligation-free and confidential discussion to learn more.
-
OAIC Notifiable Data Breaches report – July 2020
The OAIC’s Notifiable Data Breaches Report reveals 518 data breaches reported by eligible entities in the first half of 2020. Learn more about the types of personal information involved, the highest reporting sector, and the key takeaways from the report to protect your data.
-
Data breaches: what exactly is serious harm?
This article looks at the notifiable data breaches scheme, and the factors to consider when determining if an eligible data breach would likely result in serious harm. It also provides an in-depth look at the Office of the Australian Information Commissioner observations in its ‘Notifiable Data Breaches Statistics Report’.
-
De-encryption laws to make tech giants cooperate with law enforcement
The Australian Government is introducing encryption-related legislation that could have significant implications. Get the full scoop on what this Bill could mean for companies and citizens before it is officially announced.
-
Artificial intelligence – introductory thoughts on the legal issues
Technology lawyers are grappling with the complex legal issues associated with Artificial Intelligence (AI), such as liability, competition, consumer issues, intellectual property, data ownership, security, and privacy. This article explores these topics and examines the approach taken in the European Union.
-
What is a data breach response plan and how do I get one?
Organizations must now comply with the Notifiable Data Breaches Scheme. Learn how to create a Data Breach Response Plan and why it is so important for compliance.
