Notifiable Data Breach Scheme commences 23 Feb 2018

• Home
• Data breach compliance
• This insight

As of 23 February 2018 a new notifiable data breach scheme (Scheme) will be enacted through legislation amending the Privacy Act 1988 (Cth) (Privacy Act) making it mandatory for certain entities to notify affected individuals about eligible data breaches.

What is a data breach?

A data breach occurs where personal information is lost, stolen, accessed or inadvertently published.  The later was the case for the Australian Red Cross, whose database containing 1.28 million customer records, including sensitive information, was inadvertently posted to a public website in 2016.

What is personal information?

Personal Information is defined in s 6(1) of the Privacy Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable.  For further information see our article on: The Meaning of Personal Information.

Who does the Scheme relate to?

Pursuant to s 26WE(1) Privacy Act (as amended), the requirement to notify affected individuals applies to:

• entities that have an annual revenue of more than A$3,000,000 who hold personal information;
• credit reporting bodies; and
• credit providers.

The Scheme also applies to certain entities who have a revenue of less than A$3,000,000, s 6D of the Privacy Act, these include:

• any entity, regardless of revenue, who hold tax file numbers (in circumstances where the breach involves tax file numbers);
• entities that provide health services;
• entities related to an Australian Privacy Policy (APP) entity;
• entities that trade in personal information;
• employee associations registered under the Fair Work (Registered Organisations) Act 2009 (Cth);
• entities that ‘opt-in’ to APP coverage under s 6EA of the Privacy Act;
• entities that provide services to the Commonwealth under a contract;
• entities operating a residential tenancy data base; and
• internet service providers and telecommunication entities holding information under the mandatory data retention scheme, pursuant to Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (Cth).

Note: The above list refers to the main entities obligated by the Scheme, however, is not exhaustive.

What is an eligible data breach?

An eligible data breach occurs, pursuant to s 26WE(1) Privacy Act (as amended), where either:

• there is unauthorised access to, or unauthorised disclosure of, the information and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
• information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur and assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.

Examples of where an eligible data breach arise may include:

• an employee’s laptop containing personal information is lost or stolen;
• a database containing personal information is hacked; or
• an excel spreadsheet containing personal information is accidently emailed to the wrong recipient.

In each of these instances an entity to whom the Scheme applies will have to notify the affected individuals if the breach is likely

‘to result in serious harm to any of the individuals to whom the information relates’.

What does ‘likely to result in serious harm mean’?

The term ‘likely to result in serious harm’ is not defined in the Privacy Act as it exists or as amended.  However, the explanatory memorandum relating to the amending act, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), explains:

• “Serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.”
• “It is expected that a likely risk of serious financial, economic or physical harm would be the most common likely forms of serious harm that may give rise to notification. Nonetheless, a reasonable person may conclude in some cases that a likely risk of serious psychological or emotional harm, serious harm to reputation or other serious harms arising from an unauthorised access, unauthorised disclosure or loss of personal information may exist. For example, this may be the case where an eligible data breach involves health information or other ‘sensitive information.’
• “Though individuals may be distressed or otherwise upset at an unauthorised access to or unauthorised disclosure or loss of their personal information, this would not itself be sufficient to require notification unless a reasonable person in the entity’s position would consider that the likely consequences for those individuals would constitute a form of serious harm.”

How is the likelihood of serious harm assessed?

In assessing whether or not a reasonable person would conclude that access to, or a disclosure of, information would likely result in serious harm an entity will need to consider, inter alia:

• the kind or kinds of information;
• the sensitivity of the information;
• whether the information is protected by one or more security measures and if the information is protected by one or more security measures — the likelihood that any of those security measures could be overcome;
• the persons, or the kinds of persons, who have obtained, or who could obtain, the information; and
• the nature of the harm that may arise.

What are the consequences of non-compliance?

Failure to comply with the obligations under this Scheme will be deemed an interference with an individual’s privacy pursuant to the Privacy Act.  The Office of the Australian Information Commissioner (Commissioner) is empowered to instigate investigations, make determinations, seek enforceable undertakings and pursue civil penalties in the Federal Courts.  Section 13G of the Privacy act sets civil penalties for serious and repeated interferences with privacy of up to $420,000.

How can you prepare?

Data breaches are a real threat to organisations whether or not the data is accessible over the web or situated in the cloud.  For eligible entities the preparation of a Data Breach Response Plan may contribute to fulfilling its obligation with respect to the Australian Privacy Principle 11 (security of personal information) which states:

‘If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

(a) from misuse, interference and loss; and

(b) from unauthorised access, modification or disclosure.’

Takeaways

This new Scheme makes it mandatory to notify both the affected individuals and the Commissioner of an eligible breach.  It is time to ensure you have a response plan in place to guide your team in identifying and responding to eligible data breaches so as to limit your liability and protect your reputation.

Links and further references

Legislation

• Privacy Act 1988 (Cth)
• Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)

Further information about data breaches

If you need assistance in preparing a data breach response plan or if you require legal support following a data breach, contact us for a confidential and obligation-free discussion:

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

---

Related insights about data breaches