Amendments to the Privacy Act 1988 (Cth) passed in mid-February introduce an obligation for organisations covered by the Act to notify affected individuals and the OAIC if they have an ‘eligible data breach.’ But what does it all mean? This Guidance note provides more detail about what exactly is required.

Key take-aways

  • Only ‘eligible data breaches’ are notifiable to affected individuals and the OAIC.
  • An eligible data breach is one where there been loss, unauthorised access to or disclosure of information which is likely to result in serious harm.
  • If you’re unsure, you have 30 days to determine if it is an eligible data breach
  • If you have taken remedial actions which mitigates the risk of serious harm, then you don’t have to notify.
  • Affected individuals should be notified as soon as practicable.
  • It’s important to identify who should notify what, where more than one entity holds the same personal information e.g. you use a cloud service provider who has an eligible data breach.

When do the notification laws come into effect?

The amendments will commence either 12 months after the date of Assent or an earlier date fixed by proclamation. The Bill has not yet been assented to, and no date has yet been fixed but it will probably be sometime in March or April 2018. 

Eligible Data Breach

The key definition is ‘eligible data breach.’  Not every data breach is notifiable: only those that come within the definition of ‘eligible data breach.’  However, there is also an important exception to the requirement to notify where remedial action has been taken which is discussed further below.

To be an ‘eligible data breach’ there must be:

  • Unauthorised access to or disclosure of information or information is lost in circumstances where such unauthorised access or disclosure is likely to occur (e.g. you leave an unencrypted laptop on the train versus you crush your laptop beyond repair by accidently driving over it in your car). In both cases the information on the laptop is probably lost but only in the former is it likely that unauthorised access or disclosure may occur); and
  • A reasonable person would conclude that that access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom that information relates.

Whether a reasonable person would conclude that a person was likely to suffer serious harm as a result of the breach depends upon a broad range of factors including the nature, sensitivity of the information, whether the information is protected by security measures, the person/s who have obtained or could obtain the information and the nature of the harm that may result.“Harm” is defined to include serious physical, psychological, emotional, economic and financial harm in addition to harm to reputation.
If you suspect that there may be an eligible data breach but you’re not sure, the Act allows organisations 30 days during which they must carry out a ‘reasonable and expeditious assessment’ as to whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach. You can take longer than 30 days if needed but must be able to establish that the assessment was ‘expeditious.’ At the end of that time, if you determine that there is an eligible data breach, it must be reported (subject to the remedial action exception which applies to all eligible data breach).

Remedial Action Exception

If you take action to rectify an eligible data breach, you may not have to report it. The Act includes a specific exception that provides that there will not be an eligible data breach if you:

  • Take action before the access or disclosure or loss results in serious harm; and
  • That action, in the opinion of a reasonable person, would result in there being no serious harm to any of the individuals.

An example of this sort of remedial action includes the remote wiping of a lost laptop. Provided the remedial action is taken before there is any actual serious harm, the event is no longer a reportable eligible data breach.

Who, what and when should be notified?

If you think there has been an eligible data breach, then you must prepare a statement including:

  • the identity and contact details of the organisation;
  • a description of the eligible data breach that the organisation has reasonable grounds to believe has occurred;
  • the kinds of information concerned; and
  • recommendations about the steps which individuals should take in response to the eligible data breach.

A copy of statement must also be provided to the Office of the Australian Information Commissioner.
If practicable, the provider must notify the contents of the statement to the individuals to whom the relevant information relates, or to each of the individuals who are at risk as a consequence of the data breach.    If it is not practicable for the provider to contact all the individuals, the provider must take reasonable steps to publicise the contents of the statement and must publish a copy on its website (if any).
The OAIC may also direct an entity to notify affected individuals if it becomes aware that there are reasonable grounds to believe that the entity has suffered an eligible data breach.

Multiple parties

The situation is more complicated where a data breach affects a third party provider who has multiple clients.  An example might be where a server in a cloud service provider’s data centre is compromised, and as a result a third party has been able to access the data of all of the cloud service provider’s clients hosted on that server.  Under the Privacy Act, which does not distinguish between data controllers and data processors, both the client and the cloud service provider might be regarded as holding the personal information that has been inappropriately accessed.  Both of these entities thus has a notification obligation.  The Act provides that:

  • If you know that the data breach affecting you also affects other parties, then you don’t have to notify about those other parties although you can elect to set out details of those other entities affected in the notice;
  • If more than one entity ‘holds’ the same Personal Information, it is sufficient if one party notifies about the data breach.

It is important to work out who should notify if a breach affects multiple parties, as in the cloud provider example given above. The  Privacy Act doesn’t specify who should notify however it might be important for your organisation to control the communications about the incident, establish the messages that should be given to the affected individuals and manage any on-going interactions with the Privacy Commissioner.  To be able to do  this, your organisation will need to be notified of the incident (and perhaps all incidents to enable you to make your own determination of whether there is an ‘eligible data breach.’) You should know if any other organisations are affected and what action they might be taking. This should be negotiated with your third-party service providers well in advance of the occurrence of a data breach.

What happens if you don’t give notice?

If an organisation fails to give notice in accordance with the new legislation the consequences are the same as if it had failed to comply with the Australian Privacy Principles. 
In summary, the main consequences are the risk of a determination by the Privacy Commissioner to pay compensation.  Ultimately there is also the possibility of having to pay a civil penalty of an amount up to $1.8 million in the case of corporations, where there has been a serious or repeated breach.

What should you do?

Organisations covered by the Privacy Act should ensure they are in a position to comply with the notification requirement when it commences. This might include:

  • Reviewing all contracts with third party suppliers to ensure they have appropriate notification provisions.
  • Ensuing you have appropriate response plans that can be readily applied to comply with these new obligations in the event of an eligible data breach
  • Testing your data breach response pan

How can we help?

IT Security Training Australia offers the following training courses and consulting services which may be of interest:

  • Data breach notification in Australian: Current and proposed obligations (2 hours – Live Online training session);
  • Information Security Incident Response Management Workshop (1 day – instructor led, classroom based);
  • Incident response plan review and update;
  • Privacy compliance review; and
  • Review of contracts with third party service providers to check data breach notification obligations.

For more information on training courses offered by IT Security Training Australia:
March 2017

File Attachments