Mandatory data breach notification introduced
By Stanley Drummond, Thomson Geer*
Insurers, super funds and other entities need to extend their privacy compliance measures to comply with new data breach reporting requirements.
The Privacy Amendment (Notifiable Data Breaches) Act, which passed on 22 February 2017 and takes effect in 2018, is a major change to Australian privacy law.
The Act introduces a scheme whereby agencies and organisations regulated by the Privacy Act are required to give notice to the Australian Information Commissioner (AIC) and affected individuals of an "eligible data breach" (EDB).
In 2008, an Australian Law Reform Commission (ALRC) report, For your information: Australian privacy law and practice, noted that, with advances in technology, entities were increasingly holding larger amounts of personal information in electronic form, raising the risk a security breach could result in others using the information for identity theft and identity fraud.
ALRC said a notification requirement on entities that had data breaches would allow individuals whose personal information had been compromised to take remedial steps to lessen the adverse impact.
ALRC recommended the Privacy Act be amended to require notification. Its proposed test was notification to those whose privacy had been infringed when data breaches caused "a real risk of serious harm" to an affected individual. Notification would be compulsory unless it would impact on a law enforcement investigation or was determined by the regulator to be contrary to the public interest.
In October 2012, the Federal Government released a discussion paper seeking public comments on whether Australia's privacy laws should include a mandatory data breach notification requirement and, if so, its possible elements.
In April 2013, the government conducted confidential targeted consultation on a more detailed legislative model.
In May 2013, ALRC's recommendation was included in the Privacy Amendment (Privacy Alerts) Bill 2013, which would have introduced a "real risk of serious harm" test for mandatory reporting of data breaches. The Bill passed in the House of Representatives and was in the Senate when it lapsed on Parliament's August 2013 prorogation.
In February 2015, a parliamentary joint committee recommended introducing a mandatory data breach notification scheme and the government agreed.
In December 2015, it released an exposure draft for the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015. Forty-seven submissions were received on the draft Bill. They were generally supportive or supported it subject to technical changes.
After consultation and feedback, the Privacy Amendment (Notifiable Data Breaches) Bill was introduced into Parliament in October 2016.
The Act has inserted a new section, "Notification of eligible data breaches", into the Privacy Act.
An EDB occurs if:
• there is unauthorised access to, or disclosure of, personal information held by an entity; and
• a reasonable person would conclude the access or disclosure would be likely to result in serious harm to any individuals to whom the information relates.
An EDB also occurs if personal information is lost in circumstances where:
• unauthorised access to, or disclosure of, information is "likely to occur"; and
• assuming it were to occur, a reasonable person would conclude the access or disclosure could result in serious harm to individuals to whom the information relates.
The Bill's explanatory memorandum provides examples of EDBs. A cyber intrusion involving publication online of individuals' names and credit card numbers could be an EDB, as could accidental publication of patient records by a medical practice.
Potential serious harm could include physical, psychological, emotional, economic and financial harm, and harm to reputation. The explanatory memorandum says distress alone is not enough.
It implies that whether an affected individual can take any steps in response to a notification that would avoid or mitigate the harm may also be relevant.
The explanatory memorandum said not every data breach would be subject to a notification requirement. It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of "notification fatigue" for individuals, and the lack of utility where notification does not facilitate harm mitigation.
In response to consultations, the model implemented by the Act modified ALRC's original "real risk of serious harm" threshold by introducing an objective "reasonable person" element and a reference to "likely risk" rather than "real risk".
If an entity is aware of "reasonable grounds" to suspect there may have been an EDB it must conduct a "reasonable and expeditious assessment" to see if the circumstances amount to an EDB and must take "all reasonable steps" to complete the assessment within 30 days.
If there are reasonable grounds, the entity must prepare a statement for the AIC setting out:
(a) the entity's identity and contact details;
(b) a description of the EDB;
(c) the kinds of information concerned; and
(d) recommendations on steps individuals should take in response.
There are three options for notifying individuals:
(a) if practicable – take steps reasonable in the circumstances to notify each individual to whom the relevant information compromised in an EDB relates; or
(b) if practicable – take steps reasonable in the circumstances to notify those individuals considered "at risk"; or
(c) if it is not practicable to notify by (a) or (b) – publish a statement on the entity's website and take other reasonable steps to publicise the statement.
If the AIC believes an EDB has occurred and no statement has been provided, the AIC may give a written direction to the entity requiring it to prepare a statement and give notification of the breach.
An entity's failure to comply with:
• the requirement to assess a suspected EDB;
• the requirement to prepare a statement about an EDB and give it to the AIC;
• the requirement to notify an EDB; or
• an AIC directive to notify an EDB;
is taken to be an "interference with the privacy of an individual" for the purposes of the Privacy Act.
Serious or repeated interferences can attract a maximum penalty of 2,000 penalty units for an individual and 10,000 for a body corporate. The current penalty unit value of $180 equates to $360,000 for an individual and $1.8 million for a body corporate.
*Stanley Drummond is Adjunct Head of Superannuation and Wealth Management at Thomson Geer. This is an edited version of an article that appeared in the Australian Insurance Law Bulletin.