Author: Jodie Siganto December 2015

With the recent release of a new draft bill, Privacy Amendment (Notification of Serious Data Breaches) Bill 2015,[1] it seems that mandatory notification will soon be introduced into Australia.  The draft bill requires entities covered by the Privacy Act 1988 (Cth), to notify the Privacy Commissioner and affected individuals where the entity reasonably believes that there is a real risk of serious harm arising from unauthorised access to or disclosure of personal information.

Key Takeaways

·       The Privacy Act is likely to be amended to include a mandatory data breach notification requirement. 

·       The new provisions will become enforceable 12 months after the Act has been passed and been signed off by the Governor General.

·       Notification will be required where there a loss, unauthorised access to or disclosure of ‘personal information’ in circumstances where that access or disclosure gives rise to a ‘real risk of serious harm.’

·       Entities have 30 days to determine whether that notification threshold has been reached.

·       Notification is to be given to the Privacy Commissioner and to the affected individual.

·       Details of what should be included in the notice are specified in the legislation.

·       Where personal information has been sent overseas pursuant to APP 8.1, the Australian entity will be responsible for complying with any notification obligations that may result from any unauthorised access to or disclosure of personal information held by the overseas entity.

·       Failure to notify will be regarded as an interference with privacy and the Commissioner has the power to make a determination and to apply for the imposition of a civil penalty.

Notification of Serious Data Breaches

The introduction of mandatory data breach notification (MDBN) has been under consideration in Australia for over 10 years, with the Australian Law Reform Commission (ALRC) recommending such a requirement in its comprehensive 2008 review of the Privacy Act 1988 (Cth).[2] Draft legislation based on the ALRC’s recommendations was initially proposed in 2012 and then again in 2014 but failed to pass.  Following recommendations from the Parliamentary Committee reviewing the then-proposed data retention laws,[3] the Australian Government released the most current draft in early December 2015, inviting public comment before legislation is introduced in Parliament in 2016.[4]

The latest draft bill is substantially the same as the previously proposed legislation, with some updating.

In general terms, the Bill would require Government agencies and businesses subject to the Privacy Act 1988 to notify the Australian Privacy Commissioner and affected individuals following a serious data breach. According to the government, the Bill is intended to ‘improve the privacy of Australians without placing an unreasonable regulatory burden on business.’[5]

Outline of the requirements

The Bill:

·       Applies where there is serious data breach, which is defined to be one where there is a real risk of serious harm;

·       Lists relevant matters to be considered when determining whether or not there is a real risk of serious harm, including whether the information is intelligible to an ‘ordinary person’ and the security measures taken to protect the information;

·       Provides that notice must be given as soon as practicable but allows entities 30 days to assess whether or not a serious data breach has occurred;

·       Specifies the matters that must be included in the notice;

·       Requires that notice be given to the Commissioner and to affected individuals, subject to certain exceptions;

·       Where not practicable to notify each affected individual, the entity must post notice on the entity’s website and take such other steps as may be reasonable in the circumstances, e.g. social media posting or online or print media advertising;

·       Gives the Commissioner the right to direct that notice be given where it believes on reasonable grounds that a serious data breach has occurred;

·       Makes the failure to give a notice an interference with privacy which means that the Commissioner may initiate an investigation, make a determination and apply to the Federal Court for the imposition of a civil penalty.

Application of the Act

The notification obligation applies to all the kinds of entities already subject to the Privacy Act.

The legislation also provides that a serious data breach can only occur in relation to information that is subject to existing Privacy Act security requirements, that is, information that comes within the definition of ‘personal information’.[6]

As well as applying to organisations that hold personal information generally, the exposure draft refers expressly to the obligations applying to credit reporting bodies, credit providers and to the holders of tax file numbers. The obligations with respect to these three classes of entities apply in the same way as to holders of other types of personal information. The potential for harm with respect to some of these categories of information is greater than for organisations that hold more general personal information.

The new provisions will become enforceable 12 months after the Bill has been passed and received Royal Assent.

“Serious Data Breach’

The notification obligations only apply where there is a serious data breach.[7]

 

A data breach is defined as occurring where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.[8]

The Explanatory Memorandum provides that the phrase ‘likely’ is intended to ensure that losses where it is not probable that the information will be subject to unauthorised access or unauthorised disclosure are not covered. An example of this may be where hardcopy information is lost after it has been accidentally disposed of in a secure waste disposal, or the loss of an encrypted electronic storage device where the probability of the encryption being circumvented is low.

A data breach is a serious data breach where there is a real risk of serious harm to the individual to whom the information relates as a result of the data breach (the affected individual). This is based on the standard recommended by the ALRC and also incorporated in the current voluntary data breach guidelines issued by the Office of the Australian Information Commissioner (OAIC).[9]   It is also the same standard proposed in the previous draft bills.

The Bill also leaves it open for regulations to prescribe certain types of information where any unauthorised access or disclosure will be regarded as a serious data breach regardless of the risk of harm.[10]  Examples provided include data breaches involving particularly sensitive information such as health records, which may not cause serious harm in every circumstance but should be subject to the highest level of privacy protection. [11]

Key Definition: A 'serious data breach' is:

  • an unauthorised access to, or unauthorised disclosure of, information which 'will result in a real risk of serious harm' to any of the affected individuals;
  • a loss of information which is 'likely' to result in unauthorised access to unauthorised disclosure of the information; or
  • a loss of information which 'may' result in unauthorised access/disclosure of the information but only where the information is of a kind specified in the regulations. The EM suggests that the information to be specified in the regulations would include particularly sensitive information, such as health records

‘Real risk of serious Harm’

Serious harm is defined to include physical, psychological, emotional, economic and financial harm, as well as harm to reputation.[12] This is a broader definition than proposed in the previous draft bills.

 

The risk of harm must be real, that is, not remote.[13] The justification for this requirement is that the government does not intend that every data breach be subject to a notification requirement. According to the Explanatory Memorandum, ‘It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of ‘notification fatigue’ on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation.’[14]

Relevant Matters

It is the entity holding the information which has been improperly accessed or disclosed who makes the determination of whether or not there is a real risk of serious harm, not the people affected or the regulator.

In making that determination, the proposed legislation provides a non-exhaustive list of matters that entities must have regard to.[15]  This list is based on matters identified in the current OAIC Data Breach Notification: A guide to handling personal information security breaches, or matters identified in the ALRC report.[16]  The Explanatory Memorandum suggests that the Commissioner could expand or update this guidance to reflect the introduction of the new Part IIIC—Notification of serious data breaches, or to introduce specific security guidelines relating to Part IIIC.[17]

The matters listed for consideration include the kind or kinds of information involved and the sensitivity of the information. The persons, or the kinds of persons, who have obtained, or who could obtain the information involved in data breach is a relevant matter when determining whether a real risk of serious harm exists.[18]  The nature of the harm that may occur as a result of a data breach is also a relevant matter when determining whether a real risk of serious harm exists.[19]  The steps taken or to be taken steps to mitigate the harm to affected individuals following a data breach are also relevant when determining whether a real risk of serious harm exists.[20]

 

Matters to be considered in determining whether there is a real risk of serious harm::

  • The kind of information concerned;
  • The sensitivity of the information;
  • Whether the information is in a form that is intelligible to an ordinary person;
  • If information is not in an intelligible form, the likelihood that information could be converted into such a form;
  • Whether the information is protected by security measures;
  • If the information is protected by security measures, the likelihood that those measures could be overcome;
  • The persons, or the kinds of persons, who have obtained, or who could obtain, the information;
  • The nature of the harm; and
  • If the entity has taken steps to mitigate the harm, the nature of the steps that have been taken and how likely those steps are to be successful.

 ‘Form intelligible to an ordinary person’

Another relevant matter to consider when determining whether a real risk of serious harm exists is whether the information involved in the breach is in a form that is intelligible to an ordinary person. The phrasing is intended to be technology neutral, and could apply to either electronic or hardcopy information.[21] Examples of information that may not be intelligible to an ordinary person include:

·       encrypted electronic information

·       information that the entity holding the information could likely use to identify an individual, but that other entities or individuals likely could not (an example would be information that the entity could link to a particular individual, but that would be ‘de-identified information’ to other entities or individuals)

·       information that has been adequately destroyed as per APP 11.2 and cannot be retrieved to its original form (such as adequately shredded hard copy information).[22]

The consideration is whether the information would be intelligible to an ‘ordinary person’ which in law sets an objective standard.

The ‘ordinary person’ test is explained further by a subsequent provision which states that, when considering the ‘ordinary person’ the entity should  assume that that person has access to software or other technology that is publicly available and commonly used.[23] In other words, it should be assumed that an ordinary person has access to what are essentially ‘ordinary’ resources. The terms ‘publicly available’ and ‘commonly used’ are intended to cover software or other technology that is available for purchase or for free and is widely used. Software or other technology that is openly available via the internet would be considered ‘publicly available’, although whether such software or other technology is ‘commonly used’ would need to be determined on a case-by-case basis. Examples of software that could be considered publicly available and commonly used could include widely used web browsers, or applications such as Adobe Acrobat Reader, Adobe Photoshop, Microsoft Office, Winzip or equivalent products.[24]

According to the Explanatory Memorandum, the ordinary person test is not intended to preclude consideration of whether the information would be intelligible to a person with knowledge or capabilities exceeding those of an ordinary person: in such a case other relevant matters may be relevant (in particular paragraphs 26WB(3)(e)–(g) about security measures protecting the information which is discussed further below).[25]

The Bill provides that, where the information is not in a form intelligible to an ordinary person, separate consideration must be given to the likelihood that the information could be converted into such a form by any type of person.[26] example, encrypted information may not be intelligible to an ordinary person, but if the encryption method used could be circumvented—which could occur if the encryption algorithm is out-of-date or otherwise not fit for purpose and could be broken by a sophisticated attacker, or if the decryption key was also accessed or disclosed in the data breach—the risk could exist that the information could be converted into a form intelligible to an ordinary person. Even where none of these concerns apply in relation to encrypted information, the entity may need to consider the likelihood of the encryption algorithm being broken in the long-term.[27]

Security Measures

Another matter to be considered is whether the information is protected by one or more security measures.[28] For example, if an entity’s intrusion detection and prevention systems detect an attack on the entity’s IT networks, the entity could consider whether network security mechanisms were likely to have prevented the attacker from accessing information.[29]

The Explanatory Memorandum recognises that there is some overlap between consideration of whether or not the information is in intelligible form and the security measures which were in place but suggests that the consideration of security measures may be of use in cases where ‘an entity has reasonable grounds but not definitive proof to believe that unauthorised access to or unauthorised disclosure of information has occurred.’[30]  In those cases, consideration of security measures that were in place to protect the information may be of greater utility in assessing whether a serious data breach has occurred than consideration of the intelligibility of the information concerned to an ordinary person.[31]

When considering if the information involved in a data breach is protected by one or more security measures, the Bill also refers entities to consideration of the likelihood that any of those security measures could be overcome.[32]

The Explanatory Memorandum also notes that not all the matters listed will necessarily be particularly relevant in all circumstances. While in some cases one matter may be determinative in considering whether a real risk of serious harm exists, in other cases, it may be that the entity or Commissioner also consider that a real risk of serious harm exists when the relevant matters are considered as a whole.

Continued liability for overseas recipients

The draft Bill set out the circumstances under which an entity will retain accountability for a ‘serious data breach’ involving personal information that the entity has been sent overseas.[33]  Where the entity has disclosed personal information about one or more individuals to an overseas recipient pursuant to APP 8.1 then the notification provisions apply to the entity as if personal information was held by it. A similar provision was included in previous drafts of the legislation.

This means that Australian entities will need to know when a ‘serious data breach’ has occurred with respect to the information that it has disclosed to the overseas provider. Australian entities must include in their contracts with overseas service providers, notification provisions at least consistent with the draft Bill, that is, which require that the Australian entity be notified as soon as practicable wherever there are reasonable grounds to believe that there has been a serious data breach affecting the information held about Australians. Consideration should also be given to other contractual provisions which might include:

·       An obligation to take all reasonable steps to mitigate any harm;

·       An obligation to assist in any investigation by the regulator and to comply with any direction, determination or other order made by the Australian regulator;

·       Authorisation for the Australian entity to negotiate an appropriate enforceable undertaking;

·       An undertaking to share all information relating to the incident including information provided to or received from law enforcement agencies.

Notification of Serious Data Breaches

If an entity is aware, or ought reasonably to be aware,[34] that there are reasonable grounds to believe that there has been a serious data breach of the entity, the entity must, as soon as practicable after the entity becomes aware, or ought reasonably to have become so aware:

·       Prepare a statement that complies with the required form;[35]

·       Give a copy of the statement to the Commissioner; [36]

·       Take such steps (if any) as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information relates,[37] and

·       If it is not practicable for the entity to notify the contents of the statement to each of the individuals to whom the information relates:

o   Publish a copy of the statement on the entity’s website (if any)[38], and

o   Take reasonable steps to publicise the contents of the statement.[39]

What constitutes ‘reasonable grounds’ will depend on the circumstances.  Where an entity is unsure whether there are reasonable grounds to believe that a serious data breach has occurred, the entity has 30 days to consider whether there are reasonable grounds to believe that a serious data breach has occurred before notification will be required (this is discussed further below).[40]

Method of providing notice

The obligation is to take ‘such steps (if any) as are reasonable in the circumstances’ to notify affected individuals.  This introduces flexibility in terms of how notice should be given.

The draft Bill also recognises that there may be situations where notifying each affected individual is not practicable, for example, where the time, effort or cost of notifying each affected individual would render such notification impracticable. In these situations, publishing a copy of the statement on the entity’s website (if the entity has a website) may be a suitable substitute notification method.  The provision also refers to taking reasonable steps to publicise the contents of the statement. This allows entities to choose the publication channels most likely in the circumstances to be effective in bringing a serious data breach to the attention of affected individuals, for example, by taking out a print or online advertisement in a publication or website the entity considers reasonably likely to reach affected individuals, or publishing an announcement on the entity’s social media channels.[41]

In some cases it might be reasonable to take more than one step to publicise the notice of breach. For example, an entity could take out multiple print or online advertisements (which could include paid advertisements on social media channels), publish posts on multiple social media channels, or use both traditional media and online channels.

Where an entity considers that compliance with the notification provisions would be practicable but nonetheless contrary to the public interest, the entity may apply to the Commissioner for an exemption from the notification requirement.[42]

Contents of Notice

The list of matters to be included in the statement is based on the matters in the current OAIC Data Breach Notification: A guide to handling personal information security breaches. The Bill requires that the statement must include:

·       the identity and contact details of the entity;

·       a description of the serious data breach that the entity has reasonable grounds to believe has happened;

·       the kind or kinds of information concerned; and

·       recommendations about the steps that individuals should take in response to the serious data breach that the entity has reasonable grounds to believe has happened.[43]

The recommendations should provide individuals with advice about steps they should take to mitigate the harm that may arise to them as a result. Examples could include recommending that individuals request a copy of their credit report if a serious data breach might result in credit fraud.

 

This list is not exhaustive list and reference should be made to the Commissioner’s Guidance material to may identify other kinds of information to include in the notice.

As soon as practicable

The obligation is to give the notice ‘as soon as practicable after the entity becomes aware, or ought reasonably to have become so aware.’ The phrase ‘as soon as practicable’ includes time taken by the entity to carry out a reasonable assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to a serious data breach of the entity, so as long that assessment is carried out within 30 days.[44]

The type of assessment to be undertaken will again vary depending on the circumstances of the serious data breach or potential serious data breach.

The assessment process is intended to provide certainty and reduce the cost of compliance for entities and reduce the risk of individuals experiencing ‘notification fatigue’ due to receiving large numbers of notifications for non-serious breaches.[45]

Commissioner’s Powers

The Commissioner may direct an entity to provide notice of a serious data breach, where it believes on reasonable grounds that such a breach has occurred.[46] The Commissioner also has the power to exempt entities from the notification obligation where the Commissioner is satisfied that it is in the public interest to do so.

 

Failure to notify in accordance with the Act, including where directed to notify by the Commissioner, is taken to be an act that is an ‘interference with the privacy of an individual’.[47] This means that the Privacy Commissioner can use all the powers and access the remedies available to the Commissioner under the Privacy Act. These include the capacity for the Commissioner to initiate investigations, make determinations, seek enforceable undertakings, and make applications for civil penalties for serious or repeated interferences with privacy.

 

The Commissioner also has the power to issue guidance and may issue guidelines about matters relating to compliance with the new Part IIIC—Notification of serious data breaches. [48]

 

Consultation Documents

The following documents provide further information on the proposed scheme and its regulatory impact:

 


[1] Exposure draft – Privacy Amendment (Notification of Serious Data Breaches) Bill 2015.

[3]<http://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/Data_Retention/Report>.

[4] https://www.ag.gov.au/consultations/pages/serious-data-breach-notification.aspx

[5] https://www.ag.gov.au/consultations/pages/serious-data-breach-notification.aspx

[6] Explanatory Memorandum, 10.  See also new subsection 26WB(1), which is titled ‘Scope.’

[7] New subsection 26WB(2), which is titled ‘Serious data breach’, establishes the circumstances that will constitute a ‘serious data breach’ when information within scope of section 26WB is subject to unauthorised access, unauthorised disclosure or loss

[8] Explanatory Memorandum, [15].

[9] Explanatory Memorandum, 3.  See also paragraph 26WB(2)(a).

[10] subparagraph 26WB(2)(a)(ii).

[11] Explanatory Memorandum, [28].

[12] New section 26WF.

[13] New section 26WG

[14] Explanatory Memorandum, 3.

[15] New subsection 26WB(3), which is titled ‘Relevant matters.’

[16] Explanatory Memorandum, [36].

[17] Explanatory Memorandum, [37].

[18] New paragraph 26WB(3)(g).

[19] New paragraph 26WB(3)(h).

[20] New paragraph 26WB(3)(i)

[21] Explanatory Memorandum, [42].

[22] Explanatory Memorandum, [43].

[23] New subsection 26WB(4).

[24] Explanatory Memorandum, [60].

[25] Explanatory Memorandum, [44].

[26] New paragraph 26WB(3)(d).

[27] Explanatory Memorandum, [45].

[28] New paragraph 26WB(3)(e).

[29] Explanatory Memorandum, [46].

[30] Explanatory Memorandum, [48].

[31] Ibid.

[32] New paragraph 26WB(3)(f).

[33] New subsection 26WB(5).

[34] New subsection 26WC(1).

[35] New paragraph 26WC(1)(a).

[36] New paragraph 26WC(1)(b).

[37] New paragraph 26WC(1)(c)).

[38] subparagraph 26WC(1)(d)(i)

[39] subparagraph 26WC(1)(d)(ii).

[40] Explanatory Memorandum, [74].

[41] Explanatory Memorandum, [81].

[42] New subsections 26WC(6)–(11).

[43] New subsection 26WC(3), Explanatory Memorandum, [92].

[44] New subsection 26WC(2)

[45] Explanatory Memorandum, [87].

[46] New section 26WD.

[47] New subsection 13(4A).

[48] Explanatory Memorandum, 9.