New mandatory data breach notification legislation
The long awaited Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Bill) was passed in the Australian Parliament on 13 February 2017. The Bill amends the Privacy Act 1988 (Privacy Act) to introduce a mandatory data breach notification regime (notification regime). The notification regime is a significant change to the data breach notification obligations of organisations holding personal information.
The Bill is likely to commence 12 months after it receives Royal Assent (which is expected to occur shortly).
Background
Unlike many other jurisdictions, Australia does not currently have a mandatory data breach notification regime (ie legal requirements imposed on organisations to notify impacted individuals and/or relevant regulators where personal information an organisation holds about an individual is subject to a data breach or other similar incident).
The Australian Information Commissioner (Commissioner) has previously encouraged organisations to voluntary undertake notification of data breaches, however, there has been no express requirement under the Privacy Act for organisations to do so.
There have been a number of recent legislative proposals for the introduction of a mandatory data breach notification regime in Australia. Issues regarding mandatory data breach notification have also received significant public and media attention as a result of recent high-profile data breaches such as those impacting LinkedIn, Adobe, Optus, Kmart, Yahoo and Ashley Madison.
Summary of notification regime
The Bill will amend the Privacy Act to establish a regime requiring organisations to provide notification to the Commissioner and affected individuals about ‘eligible data breaches’.
The notification regime will apply to any organisation currently subject to the Privacy Act (which will include many private sector entities, government agencies, credit reporting bodies, credit providers and tax file number recipients).
Broadly speaking, under the Bill, an ‘eligible data breach’ will occur where:
- there has been unauthorised access to, or disclosure of, personal information and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the access or disclosure; or
- personal information is lost in circumstances that are likely to give rise to unauthorised access to, or disclosure of, the information and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals.
The meaning of ‘serious harm’ is not defined in the Bill. However, the Explanatory Memorandum to the Bill states that serious harm could include physical, psychological, emotional, economic and financial harm, and will depend upon both the circumstances of the individual and the circumstances of the relevant data breach.
In addition, the amendments to the Privacy Act include a list of relevant factors an organisation would need to consider in determining whether ‘serious harm’ is likely in respect of a relevant data breach.
Notification obligations
Under the notification regime:
- organisations that have reasonable grounds to suspect that an eligible data breach has occurred will have obligations to carry out a reasonable and expeditious assessment of the suspected data breach. The organisation will need to take reasonable steps to ensure the assessment is completed within 30 days of the organisation becoming aware of the suspected data breach; and
- following such assessment organisations will (subject to any exceptions) be required to notify the Commissioner and affected individuals where the organisation has, or suspects there are, reasonable grounds to suspect that an ‘eligible data breach’ has in fact occurred. This would require the organisation to:
- prepare a statement setting out the organisation’s identity and contact details, a description of the breach, the kind of information concerned, and recommendations about what individuals should do in response to the breach;
- give a copy of the statement to the Commissioner;
- if practicable, take reasonable steps to notify the contents of the statement to each of the individuals to whom the relevant information relates or are at risk from the breach; and
- if not practicable to notify affected individuals, publish a copy of the statement on the organisation’s website (if any) and take reasonable steps to publicise the contents of the statement.
Exceptions
There are a number of exceptions to the notification regime. In particular:
- Where an organisation has taken remedial action to address potential harm to individuals that may arise due to a relevant data breach before any serious harm is caused to individuals to whom the information relates, the mandatory notification obligations will not apply.
- Other exceptions covering law enforcement, commonwealth secrecy requirements, data breaches impacting multiple entities and declarations by the Commissioner.
Consequences of non-compliance
Where an organisation breaches a mandatory notification requirement, the contravention is deemed to be an ‘interference with the privacy of an individual.’ As a result, it may amount to a breach of a civil penalty provision of the Privacy Act.
This could result in the organisation being liable for a civil penalty of up to 2,000 penalty units, the current value of which is $1.8 million.
Recommendations
Organisations that are required to comply with the Privacy Act should start preparing for the commencement of the notification regime. Steps that we recommend organisations consider taking include:
- ensuring that personnel with management and privacy compliance responsibilities understand the operation and implications of the notification regime
- putting in place procedures to manage compliance with the notification regime in the event of a data breach (such as a formal data breach plan) and
- considering the implications of the notification regime in relation to outsourcing or other arrangements with third parties who hold personal information for the organisation (for example whether adequate contractual provisions are in place to manage compliance with the notification regime).
In addition, the Bill provides a good incentive for organisations to review and, if necessary, update their information management, privacy policies and data security practices and procedures. Having robust systems and processes in place to monitor, detect and respond to data breaches in a timely manner will assist organisations with:
- managing compliance risks in relation to data breaches and the notification regime
- potentially being able to be subject to exceptions to the notification regime (such as the ‘remedial steps’ exception discussed above) and
- managing the Privacy Act and data security compliance obligations of organisations more generally.