The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the Australian parliament on 13 February 2017. Assuming that it receives royal assent within the coming days, it will become an Act (the Amendment Act). The key amendments set out in the Amendment Act are likely to take effect 12 months after that, to give Commonwealth government agencies and private sector organisations time to prepare for compliance.
This article discusses the requirements of the Amendment Act, some practical cyber security measures you can put in place and the increasing need to have a well-considered Data Breach Response Plan in place.
The Amendment Act amends the Privacy Act 1988 (the Privacy Act) to introduce mandatory data breach notification requirements for Commonwealth government agencies, private sector organisations and specific other entities (including credit reporting bodies and recipients of tax file number information) that are regulated by the Privacy Act.
The threshold for notification is set higher than in most other jurisdictions: the test is based on whether the breach “is likely to result in serious harm” to an affected individual.
Until the Amendment Act comes into effect, there is no mandatory requirement that an entity inform the Office of the Australian Information Commissioner (the OAIC) or affected individuals following a data breach involving personal information, although the OAIC has encouraged notification where there is a “real risk of serious harm” to an affected individual.
Data breaches are not limited to malicious attacks, such as theft or hacking, but may arise from internal errors or failures to follow information-handling policies that cause accidental loss or disclosure. As technology advances, entities are storing vast amounts of personal information electronically. Australian Privacy Principle 11 in the Privacy Act requires entities that hold personal information to protect it from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This extends to situations where an entity engages a third party to store personal information. The OAIC predicts that based on comparisons with other jurisdictions, notifications under this mandatory scheme will nearly double to around 200 per year after the commencement of the Amendment Act.
The Amendment Act states that essentially, an “eligible data breach” happens if:
Serious harm could include physical, psychological, emotional, economic or financial harm, as well as harm to reputation.
In determining whether serious harm is likely, various factors are to be taken into account including the types of personal information involved, whether the information is encrypted and the risk of any encryption being circumvented.
We expect that it will be approximately 12 months before the new provisions take effect. Businesses and Commonwealth government entities should use that period to get ready.
From around mid-February 2018, if your business or agency is subject to the Privacy Act and suffers an eligible data breach, you will have to report the breach to the OAIC and to affected individuals as soon as practicable.
The notification to the individual may use the communication method you normally use to contact the individual (e.g. email, telephone, post).
If you are unable to notify each affected individual, you must publish a notification on your website (if any) and take reasonable steps to publicise the notification.
If you fail to notify the OAIC and/or the affected individuals of a serious data breach, you will be taken to have interfered with the privacy of relevant individuals. You may in any event have interfered with their privacy if you did not take reasonable security measures to protect the personal information against unauthorised access or disclosure, under Australian Privacy Principle 11. As a result, the OAIC may for example require you to make a public apology and pay compensation to the affected individuals. A hefty civil penalty could also apply for serious or repeated non-compliance with mandatory notification requirements.
One of the factors that will be taken into account when assessing whether an eligible data breach has occurred is whether the information was protected by one or more security measures. To protect your business and avoid serious data breaches you should consider:
These changes to the law show the increasing importance regulators are placing on protecting individuals’ privacy including the need to respond appropriately to a data breach.
In the “data age” it is becoming inevitable that all organisations will sooner or later experience a data breach. When that happens, you need to be ready to respond in the best possible way. For that purpose you need a Data Breach Response Plan.
We’ve written previously about the need for a Data Breach Response Plan and what should be included in it. The aim is to be clear about who is responsible for managing your response to a breach and to provide them with clear practical checklists and tools to use. You do not want to spend the first hours after a serious breach occurs, scrambling to contact senior executives and deciding ad hoc about who is going to do what in response. A good Data Breach Response Plan will include amongst other things:
As technology changes, and more and more data about individuals is collected and aggregated, the regulatory regime in relation to privacy and cyber security will remain dynamic. Possible future changes may include the introduction of a legislated tort of “serious invasion of privacy” and a right for individuals to be “forgotten” by data holders.
If you’d like our assistance with getting your Data Breach Response Plan into place, or would like to know more about the changes to the law, please let us know.