Newsflash: mandatory reporting under the Privacy Act

Is your organisation ready for the stricter reporting requirements soon to be introduced by the recent amendments to the Privacy Act 1988?

 
Significant amendments to the Privacy Act 1988 (Cth) (Act) have been introduced by the Privacy Amendment (Notifiable Data Breaches) Act 20161 (New Act), which has been passed in both Houses of Parliament and received Royal Assent on 23 February 2017. Unless a proclamation declares an earlier date, the New Act will come into force by 23 February 2018 at the latest, being 12 months after it received Royal Assent.2

The New Act has extended significant obligations to certain classes of entities regulated by the Act3 (APP Entities) to report both actual and suspected data breaches.  In broad terms, an APP Entity is any business with a turnover of more than $3M per annum.

The New Act is in response to concerns surrounding the significant growth in the amount of personal information being held by APP Entities.

Whilst Australian Privacy Principle 11 required APP Entities to take reasonable steps to maintain the security of the personal information they held,4 the Act did not require the APP Entity to notify the individuals whose personal or other information had been compromised.5

The New Act sends a clear message to APP Entities that the protection of an individual’s personal information should be a priority. It is relevant to all APP Entities.

The notification requirement is intended to give individuals an opportunity to take immediate steps to minimise any harm arising from the breach.

It remains to be seen how this will work in practice.

What is an ‘eligible data breach’?

Under the Act, APP Entities are currently required to keep certain information which they currently hold in relation to individuals secure.6  The information includes:

  • personal information;
  • credit reporting information held by credit reporting bodies;
  • credit eligibility information held by credit providers; and
  • tax file number information.

The New Act affects any APP Entity who commits an ‘eligible data breach, (which is defined under the New Act7) (Breach) in relation to the improperly disclosed information.

A Breach includes, but is not limited to:

  • lost or stolen computer devices or paper records containing personal information;
  • failing to erase hard drives and other digital storage media before disposing of the equipment;
  • hacking of databases containing personal information;
  • access or disclosure of personal information by employees outside the requirements or authorisation of their employment; and
  • an APP Entity mistakenly providing personal information to the wrong person, such as sending it to the wrong postal or email address.8

What must your organisation do if it suspects it has committed an eligible data breach?

APP Entities who reasonably believe that they may have committed a Breachmust provide a statement to the Privacy Commissioner as soon as practicable10 after becoming aware of the Breach.

The statement must:

  • include the identity and contact details of the APP Entity (including associated entities where relevant) who has committed the Breach;11
  • include details of the nature of the Breach and the type of information concerned;12 and
  • recommend steps that an individual should take in response to the Breach that the APP Entity believes has occurred.13  Steps can include individuals cancelling credit cards, and changing PIN numbers and passwords, where relevant.

If it is practicable, the APP Entity must take reasonable steps to notify the individual/s to whom the relevant information relates, or who are at risk from the Breach, and notify them of the contents of the statement.14

If neither of those options is practicable, then a copy of the statement must be published on the APP Entity’s website and reasonable steps should be taken to publicise its contents.15

Notification of the Breach is compulsory except in circumstances where notification would impact on a law enforcement investigation16 or would be in breach of secrecy provisions.17

What should you do if you only suspect that your organisation may have committed a Breach?

Even in cases of a suspected breach, an APP Entity must conduct a “reasonable and expeditious” enquiry to ascertain whether or not there are reasonable grounds to believe the suspected Breach actually amounts to a breach within 30 days of becoming aware of it.18

Certain exceptions apply

The reporting requirements will not apply if the Breach is unlikely to cause serious harm to the individuals to whom it relates or the APP Entity which committed the Breach takes remedial action before the disclosure causes any serious harm.19  Moreover, the disclosure of the information will be taken never to have been a Breach.

In considering whether or not ‘serious harm’ is likely to result to an individual, consideration must be given to the kind of information and it’s sensitivity, the type of individuals that could have obtained access to the information and the likelihood that they obtained the information with the intention of causing harm to any of the individuals to whom the information relates.20

A determination is necessarily subjective, and if you are in any doubt as to whether or not your organization has committed an eligible breach, you should notify the Privacy Commissioner in any event.

If the Commissioner becomes aware that there are reasonable grounds to suspect a Breach, and it has not been reported, the Commissioner can direct an APP Entity to provide a statement in the format outlined above.21

Penalties

A failure to comply with the requirements included in the New Act is deemed to be an interference with an individual’s privacy for the purposes of the Act.

The Commissioner has wide ranging powers to investigate, make determinations, and provide remedies in relation to non-compliance.

Serious or repeated interferences with the privacy of an individual can attract a maximum penalty of $360,000 for individuals and $1.8M for bodies corporate.22

What do you need to do?

Preventing a Breach

The New Act will come into force in a maximum of one year’s time, and possibly sooner. Businesses should use this time to ensure they are ready to comply once the New Act becomes operative. Specifically: 

  • Review your organisation’s cyber security to prevent, as far as practicable, your system being hacked.
  • Review and modify your organisation’s privacy plan and protocols to ensure that they factor in the amendments referred to above.
  • Ensure that only authorised personnel have the ability to access personal information, setting up information barriers where appropriate.
  • Ensure that redundant technology has any personal information erased before it is disposed of.
  • Put procedures in place to minimise, as far as possible, the prospect of personal information being inadvertently disclosed to the wrong person.
  • Consider taking out cyber insurance to cover the potential exposure in respect of a Breach.
  • Have a protocol in place for responding to a Breach.

Dealing with a Breach

  • Ensure you have processes in place to monitor any potential Breach.
  • If a Breach or suspected Breach occurs, immediately take remedial action in a timely manner in order to maximise your prospects of arguing that the data breach falls within the exemptions referred to above.
  • Take immediate steps to minimise any serious harm to the individual which is likely to be caused by the Breach in order that you can argue that the Breach has not caused serious harm to an individual.

If you have any queries or comments about this New Act or how it affects your business, please contact Lorraine Madden or Iain Freeman.

[1] Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth).

[2] Ibid.

[3] Privacy Act 1998 (Cth) s 6

‘entity’ means:

  • an agency; or
  • an organization; or
  • a small business operator.
  1. Most government agencies, all private sector and not-for-profit organisations, all private health service providers, and businesses with a turnover of more than $3M fall within this definition.

[4] Privacy Act 1988 (Cth) Schedule 1 Australian Privacy Principle 11.

[5] Commonwealth, Parliamentary Debates, House of Representatives, 2016, (Senator the Honourable Brandis, Attorney-General), [1] to [4].

[6] Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth).

[7] Ibid, s 26WA.

An eligible data breach happens if:

  • there is unauthorised access to, or unauthorised disclosure of, or loss of, personal information held by an entity; and
  • the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

[8] Commonwealth, Parliamentary Debates, House of Representatives, 2016, (Senator the Honourable Brandis, Attorney-General) [14].

[9] Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth), s 26WK.

[10] Ibid, s 26WK.

[11] Ibid, s 26WK(3) (a) and (4).

[12] Ibid, s 26WK(3) (b) and (c).

[13] Ibid, s 26WK(3) (d).

[14] Ibid, s 26WL (2) (a) to (c).

[15] Ibid, s 26 WL (2) (c).

[16] Ibid, s 26 WS.

[17] Ibid, s 26 WT.

[18] Ibid, s 26WH.

[19] Ibid, s 26WF.

[20] Ibid, s 26 WG.

[21] Ibid, 2 26 WR.

[22] Privacy Act 1998 (Cth) s 13G.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.