Data breaches: what exactly is serious harm?

The Notifiable Data Breaches Scheme applies to entities (APP Entities) that are required to protect personal information pursuant to the Australian Privacy Act 1988 (Cth) (Act)The Act provides that where an eligible data breach (EDB) occurs, APP Entities in control of that information must notify the Office of the Australian Information Commissioner (OAIC) and the individuals who are affected by the EDB.

An EDB arises where there has been unauthorised access, loss or disclosure of personal information by an APP Entity (Unauthorised Disclosure) and such disclosure is likely to cause serious harm[1] to the individuals whose personal information is stored.

An EDB may also occur where data breach was likely to occur and if Data Breach were to occur, it would be likely to result in serious harm.

Where a data breach occurs and the APP is able to take remedial action, it may prevent an EDB from occurring.  An example of remedial action steps may include where an employee of an APP Entity leaves her laptop containing employee records in a taxi.  The employee then immediately phones tech support, who disables that computer’s access to the network and the records.

Assessing serious harm, requires careful consideration of some key concepts which is the purpose of this article.

What exactly is ‘serious harm’?

Serious harm is not defined in the Act.  Therefore, whether an individual is likely to suffer serious harm is an objective test from the perspective of a reasonable person.  The OAIC describes a ‘reasonable person’ as:

“a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach.”[2]

‘Reasonable person’ is also discussed in general terms in Chapter B of the OAIC’s APP Guidelines.

The OAIC has issued a guidelines on factors to consider when assessing whether serious harm is likely in the event of a Data Breach.[3]  In the context of a Data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.  The Privacy Act provides a non-exhaustive list of ‘relevant matters’ that may assist entities to assess the likelihood of serious harm.  These are set out in s 26WG of the Act, and are summarised below.

Types of personal information involved in the data breach

There are various types of personal information that may increase the risk of serious harm if Unauthorised Disclosure occurs:

  • ‘sensitive information’, such as information about an individual’s health;
  • documents commonly used for identity fraud (including Medicare card, driver licence, and passport details);
  • financial information; and
  • a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information is about.[4]

The circumstances of the data breach

The specific circumstances of the data breach are relevant when assessing whether there is a risk of serious harm to an individual.  This may include a consideration of the following:

  • whose personal information was involved in the breach;
  • how many individuals were involved;
  • how long the information has been accessible; and
  • who may have gained unauthorised access to the personal information.[5]

The nature of the harm that may result from the data breach

In assessing whether there has been serious harm, organisations should consider the broad range of potential harms that may follow a data breach.  Examples may include:

  • identity theft;
  • significant financial loss by the individual;
  • threats to an individual’s physical safety;
  • loss of business or employment opportunities;
  • humiliation, damage to reputation or relationships; and
  • workplace or social bullying or marginalisation.

The likelihood of a serious harm occurring, as well as the anticipated consequences for individuals whose personal information is involved in the data breach if the harm materialises, are relevant considerations.[6]

Further, it is worth noting that whilst individuals may be distressed or upset at an Unauthorised Disclosure, such a reaction alone is insufficient in and of itself to constitute a EDB.

OAIC observations on serious harm

In its Notifiable Data Breaches Statistics Report the OAIC identified contact information as the most common type of personal information disclosed in data breaches between April and June 2019.  The OAIC notes that loss of contact information may not result in immediate or financial harm in the same way that losing credit card information would, for example.

With the above considerations in mind, organisations may recognise that further harm can arise from activities such as phishing and social engineering, tactics which are aided by the use of contact information compromised in a data breach.  This highlights how, while serious harm may not immediately result from a particular data breach, the flow on effects of these should be considered in determining any serious harm in future.

Takeaways

Serious harm is not easily defined, and therefore requires consideration of various factors including the types of information involved in the Data Breach, the circumstances surrounding the Data Breach and the nature of the harm that may result from the Data Breach.  It is important to note that minor data breaches, while on their face may not seem serious, could have a flow on effect and result in serious harm.

Additionally, it is important for APP Entities to have a data breach response plan in place as part of their risk and compliance measures.  Organisation that are capable of taking swift, remedial action on Unauthorised Access may prevent expensive assessment and notification processes to be undertaken.  Preparation for remedial action may also prevent your company finding itself in the embarrassing, and potentially very public, position of notifying its clients that their data has been compromised.

Further References

Legislation

Privacy Act 1988 (Cth)

Related articles by Dundas Lawyers

Changes to the Privacy Act commence today!

Cupid Media risks privacy of the dateless

Notifiable data breach scheme commences 23 Feb 2018

Privacy Awareness Week 2019 – 12-18 May 2019

What is a data breach response plan and how do I get one?

Further information

If you need assistance with assessing whether there is a serious risk of harm because of a data breach or a suspected data breach, please telephone me for an obligation free and confidential discussion.

Ben Millar - IT and Technology Lawyer
Ben Waldeck
LL.B.,GDLP.,MQLS
Practice Leader, Technology
Telephone: (07) 3221 0013
e: bwaldeck@dundaslawyers.com.au

 

 

Disclaimer

This article contains general commentary only. You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances. 

 

[1] Privacy Act 1988 (Cth) s 26WE(ii).

[2] Office of the Australian Information Commissioner, Data Breach Preparation and Response Guideline, page 33.

[3] Ibid page 33.

[4] Ibid page 34.

[5] Ibid page 35.

[6] Ibid page 36.

Dundas Lawyers
Street Address Suite 12, Level 9, 320 Adelaide Street Brisbane QLD 4001

Tel: 07 3221 0013

Send this to a friend