Update: The OAIC has published the first quarterly report on data breach notifications received under the Notifiable Data Breaches scheme.
In February, for the first time in Australia, entities subject to the Privacy Act 1988 (Cth) (the Privacy Act) will have a mandatory obligation to report what are called ‘eligible data breaches’ to both the Office of the Australian Information Commissioner (OAIC) and any individuals who may be potentially affected by a data breach.
The following FAQs will help to understand what this means for your business.
When do the changes commence?
22 February 2018
What do the changes do?
The changes introduce a mandatory data breach notification scheme into the Privacy Act. Under this scheme, it is mandatory for entities and agencies subject to the Privacy Act to notify individuals when a data breach occurs which is likely to result in serious harm to those individuals. The OAIC must also be notified of such data breaches.
Who do the changes apply to?
The changes apply to Commonwealth government agencies and private sector organisations who are currently subject to the Australian Privacy Principles under the Privacy Act.
This includes private sector organisations, including not-for-profits, with annual (group) turnover of more than $3 million. It also includes small businesses that may be earning $3 million or less where they are health service providers involved in trading in personal information, contractors that provide services under a Commonwealth contract or credit reporting bodies, amongst others.
Entities already exempt from the operation of the Australian Privacy Principles remain exempt from the changes.
So, for example, the changes apply to private schools or companies with turnover of more than $3 million per year, but not to local councils or state government agencies.
What are some examples of data breaches that could affect an entity?
Examples of a data breach include when:
- a device containing customers’ personal information is lost or stolen;
- a database containing personal information is hacked; and
- personal information is mistakenly provided to the wrong person.
The obligation to notify the OAIC and affected individuals as a result of the changes to the Privacy Act is only triggered in circumstances where a data breach constitutes an ‘eligible data breach’, as further described below.
What should an entity do if it becomes aware of a data breach?
If you are an entity that is subject to the Australian Privacy Principles in the Privacy Act and you become aware that there are reasonable grounds to believe that there has been an eligible data breach, you are required to promptly notify any individuals at risk of being affected by the data breach and the OAIC.
(a) Eligible data breach
An ‘eligible data breach’ occurs where:
- there is unauthorised access to, or unauthorised disclosure of personal information or personal information is lost in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
In this test, ‘likely’ is to be interpreted to mean more probable than not and ‘reasonable person’ is to be taken to mean a person in the entity’s position who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. Importantly, the OAIC’s guidance states that the reasonable person is not to be taken from the perspective of an individual whose personal information was part of the data breach or any other person, and, generally, entities are not expected to make external enquiries about the circumstances of each individual whose information is involved in the breach.
(b) “Likely to result in serious harm”
An assessment as to whether an individual is likely to suffer ‘serious harm’ as a result of an eligible data breach depends on, among any other relevant matters:
- the kind and sensitivity of the information subject to the breach;
- whether the information is protected and the likelihood of overcoming that protection;
- if a security technology or methodology is used in relation to the information to make it unintelligible or meaningless to persons not authorised to obtain it - the information or knowledge required to circumvent the security technology or methodology;
- the persons, or the kinds of persons, who have obtained, or could obtain, the information; and
- the nature of the harm that may result from the data breach.
The Explanatory Memorandum for the amendments recognises that potential forms of serious harm could include physical, psychological, emotional, economic and financial harm as well as harm to reputation.
(c) Remedial action
There are a number of exceptions to the notification obligation, including importantly where an entity is able to take effective remedial action to prevent unauthorised access to, or disclosure of, information when it is lost or to prevent any serious harm resulting from the data breach. Where such remedial action is taken by an entity, an eligible data breach will not be taken to have occurred, and therefore an entity will not be required to notify affected individuals or the OAIC.
(d) Suspicion of an eligible data breach
If an entity merely suspects that an eligible data breach has occurred but there are no reasonable grounds to conclude that the relevant circumstances amount to an eligible data breach, the entity must undertake a ”reasonable and expeditious assessment” of whether there are in fact reasonable grounds to believe that an eligible data breach has occurred.
An entity must take reasonable steps to complete such an assessment within 30 days after the day it became aware of the grounds that caused it to suspect an eligible data breach. We note that the OAIC’s guidance suggests that the 30 days should be treated as a maximum time limit for completing an assessment, and entities should endeavour to complete the assessment in a much shorter timeframe.
Where entities jointly or simultaneously hold the same record of information in respect of which an eligible data breach is suspected to have occurred, only one assessment is required to be undertaken.
Where an entity fails to realise that there are reasonable grounds to suspect that an eligible data breach has occurred, or fails to undertake an adequate assessment, the OAIC may direct the entity to notify individuals affected by the breach.
How long does an entity have to notify of an eligible data breach and what form does the notification take?
Where an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (whether it forms such an awareness following an assessment, as discussed above, or otherwise), the entity must as soon as practicable:
- prepare a statement that, at a minimum, contains:
- the entity’s contact details. If relevant, the identity and contact details of any entity that jointly or simultaneously holds the same information in respect of which the eligible data breach has occurred, for example, due to outsourcing, joint venture or shared services arrangements may also be provided. If this information is included in the statement, that other entity will not need to separately report the eligible data breach;
- a description of the data breach;
- the kinds of information concerned; and
- the steps it recommends individuals take to mitigate the harm that may arise from the breach. (While the entity is expected to make reasonable efforts to identify and include recommendations, it is not expected to identify every possible recommendation that could be made following a breach);
- provide a copy of this statement to the OAIC; and
- take such steps as are reasonable in the circumstances to notify affected or at risk individuals of the contents of the statement. Individuals may be notified by the mode of communication normally used by the entity, or if there is no normal mode of communication, by email, telephone or post. If direct notification is not practicable, the entity must publish the statement on its website and take reasonable steps to publicise its contents.
What constitutes a ‘practicable’ timeframe will vary depending on the time, effort or cost required to comply with the above requirements.
What are the fines that an entity might face if it is subject to an eligible data breach?
Where an entity experiences an eligible data breach, the occurrence of that data breach in and of itself is unlikely to result in the entity facing penalties. Rather, a failure to report an eligible data breach will be considered an interference with the privacy of an individual affected by the eligible data breach. Under the Privacy Act, this means that a failure to notify affected individuals of an eligible data breach could be the subject of a complaint to the Privacy Commissioner.
Serious or repeated interferences with the privacy of an individual can give rise to civil penalties of up to $2.1 million. (We note that company directors or management will not be personally liable for such serious or repeated interferences.)
Are there any new rules relating to the security of personal data introduced by the changes?
There are no new requirements regarding the security of personal data. However, the changes primarily supplement Australian Privacy Principle 11 which requires entities who hold personal information to take reasonable steps to protect personal data from misuse, interference and loss, and from unauthorised access, modification or disclosure.
What sort of policies should an entity have in place to ensure compliance with the changes?
The OAIC recommends that entities have an up-to-date data breach response plan in place to ensure that they are able to respond to suspected data breaches quickly. The OAIC’s Data breach notification — A guide to handling personal information security breaches and Guide to developing a data breach response plan (which the OAIC are currently updating) provide handy guidance in managing suspected data breaches and developing policies.
What are other entities doing about the changes to get themselves ready?
Many entities are:
- getting to know what data they have and where it is kept. It is important to have a data strategy in place that documents what data your company captures, who it relates to and where it is kept to ensure that you are complying with your legal and regulatory obligations relating to that data; and
- looking at their existing data privacy and security policies and procedures to make sure that they are in a position to respond appropriately and quickly in the event of a data breach. This should include a data breach response plan which works across the organisation and quickly brings the right people together to respond.
It is also important that an entity’s personnel are aware of the changes. Personnel need training, including to identify when an eligible data breach may have occurred and how to follow an entity’s policies and procedures on what to do next. Importantly, teams such as IT, legal, public relations, and management will need to know how to work effectively together to investigate, manage and remediate a data breach.
Some entities are looking at their relationships with suppliers who process personal information on their behalf and amending and bulking up their privacy clauses. These privacy clauses should ensure that a supplier provides assistance if there is a data breach which is on the supplier’s side or systems. They are also developing polices that are supplier facing to ensure that suppliers understand their role and what is expected of them in the event of a data breach.
Finally, some entities are auditing and strengthening their cybersecurity strategies and tools to avoid and prevent data breaches.