Entities required to comply with the Privacy Act 1988 (Cth) (Privacy Act) need to ready themselves for the new notifiable data breach regime which kicks off on 22 February 2018.
Under the reforms to the Privacy Act, an entity that experiences an ‘eligible data breach’ will have an obligation to notify the Australian Information Commissioner (Commissioner) and affected individuals of the breach.
In an era where entities are increasingly experiencing data breaches, with the introduction of new ransomware and other hazardous software, it is more important than ever that entities have sound data breach response plans in place.
What is an ‘eligible data breach’?
An eligible data breach occurs where there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity and a reasonable person would conclude the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates. Examples of a data breach include:
- where a device containing personal information is lost or stolen and
- where a database containing personal information is hacked.
If an entity is aware that there are reasonable grounds to suspect there may have been an eligible data breach, it must carry out a reasonable and expeditious assessment (within 30 days of forming the suspicion of the breach) of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach.
However, where remedial action is taken by the relevant entity following a data breach so that serious harm does not occur to an individual, and a reasonable person would conclude that serious harm is not likely, there will not be an eligible data breach.
When does ‘serious harm’ occur?
Serious harm may include serious physical, psychological, emotional, economic and financial harm, together with serious harm to reputation.
When considering whether the access, disclosure or loss would be likely to cause ‘serious harm’, regard should be had to various factors including:
- the kind(s), and sensitivity, of the information
- whether the information is protected by security measures (e.g. by a password) and the likelihood of such measures being overcome
- the persons or kinds of persons who have obtained or could obtain the information and
- the nature of the harm.
If there is an ‘eligible data breach’ – what are the notification obligations?
Under the reforms to the Privacy Act, an entity that has reasonable grounds to believe it has experienced an ‘eligible data breach’ must:
- prepare and provide to the Commissioner, as soon as is practicable after becoming aware of the breach, a statement (Notification Statement) setting out:
- the entity’s identity and contact details (and, where the breach also relates to a different entity, the Notification Statement may also set out the identity and contact details of that entity)
- a description of the breach
- the kind(s) of information impacted by the breach and
- recommendations about the steps affected individuals should take in response and
- as soon as practicable after preparing the Notification Statement:
- if practicable, take steps reasonable in the circumstances to notify the individuals to whom the relevant information relates or who are otherwise at risk from the breach, of the content of the Notification Statement or
- if not practicable to notify the relevant individuals, publish a copy of the Notification Statement on the entity’s website and take reasonable steps to publicise the contents of the Notification Statement.
Can the Commissioner direct an entity to notify?
The Commissioner may by written notice direct an entity to prepare a Notification Statement, provide it to the Commissioner and either notify individuals of the content of the Notification Statement or publish it on the entity’s website. In such circumstances, the Commissioner will invite the relevant entity to make submissions in relation to such a direction.
Exceptions to the notification requirements may apply to certain enforcement-related activities or otherwise where the requirements are inconsistent with certain secrecy provisions set out in federal or state laws.
Further, the Commissioner may extend the period of time in which an entity need notify relevant individuals or otherwise publish the Notification Statement on the entity’s website, where the Commissioner considers it reasonable to do so having considered the public interest, issues regarding enforcement and defence, or other relevant matters.
What can you do to prepare?
Entities affected by the reforms need to take steps to ensure they are ready to respond to a breach should one occur. Of course, the best defence is to prevent a breach from occurring at all and for this reason, as already required by the Privacy Act, entities must ensure there are adequate security measures in place to protect personal information.
However, in a world in which data breaches appear inevitable and increasingly common, entities can prepare themselves by:
- preparing a data response plan, identifying personnel responsible for implementing the plan and ensuring personnel (including contractors) are aware of the plan
- setting out in the data breach response plan ways in which to:
- contain the breach (e.g. shutting down websites, disabling access etc) and
- identify the scope and effect of the breach (e.g. what information, and who, has been affected; how are individuals affected; what was the source of the breach etc) and whether serious harm has occurred or is likely to occur
- preparing a template Notification Statement which can be populated and tailored to a unique eligible data breach
- identifying ways in which to prevent future breaches, for example, reviewing the entity’s privacy and security governance arrangements in order to appropriately foster a security awareness culture throughout the entity and
- training personnel on the entity’s obligations with respect to handling data breaches and general security obligations and the responsibilities each employee has in assisting the entity to comply with those obligations.
Hall & Wilcox can advise and assist with respect to preparing for these upcoming reforms and responding to data breaches should they occur in your business.