Is your organisation ready for the stricter reporting requirements soon to be introduced by the recent amendments to the Privacy Act 1988?
Significant amendments to the Privacy Act 1988 (Cth) (Act) have been introduced by the Privacy Amendment (Notifiable Data Breaches) Act 20161 (New Act), which has been passed in both Houses of Parliament and received Royal Assent on 23 February 2017. Unless a proclamation declares an earlier date, the New Act will come into force by 23 February 2018 at the latest, being 12 months after it received Royal Assent.2
The New Act has extended significant obligations to certain classes of entities regulated by the Act3 (APP Entities) to report both actual and suspected data breaches. In broad terms, an APP Entity is any business with a turnover of more than $3M per annum.
The New Act is in response to concerns surrounding the significant growth in the amount of personal information being held by APP Entities.
Whilst Australian Privacy Principle 11 required APP Entities to take reasonable steps to maintain the security of the personal information they held,4 the Act did not require the APP Entity to notify the individuals whose personal or other information had been compromised.5
The New Act sends a clear message to APP Entities that the protection of an individual’s personal information should be a priority. It is relevant to all APP Entities.
The notification requirement is intended to give individuals an opportunity to take immediate steps to minimise any harm arising from the breach.
It remains to be seen how this will work in practice.
Under the Act, APP Entities are currently required to keep certain information which they currently hold in relation to individuals secure.6 The information includes:
The New Act affects any APP Entity who commits an ‘eligible data breach, (which is defined under the New Act7) (Breach) in relation to the improperly disclosed information.
A Breach includes, but is not limited to:
APP Entities who reasonably believe that they may have committed a Breach9 must provide a statement to the Privacy Commissioner as soon as practicable10 after becoming aware of the Breach.
The statement must:
If it is practicable, the APP Entity must take reasonable steps to notify the individual/s to whom the relevant information relates, or who are at risk from the Breach, and notify them of the contents of the statement.14
If neither of those options is practicable, then a copy of the statement must be published on the APP Entity’s website and reasonable steps should be taken to publicise its contents.15
Notification of the Breach is compulsory except in circumstances where notification would impact on a law enforcement investigation16 or would be in breach of secrecy provisions.17
Even in cases of a suspected breach, an APP Entity must conduct a “reasonable and expeditious” enquiry to ascertain whether or not there are reasonable grounds to believe the suspected Breach actually amounts to a breach within 30 days of becoming aware of it.18
The reporting requirements will not apply if the Breach is unlikely to cause serious harm to the individuals to whom it relates or the APP Entity which committed the Breach takes remedial action before the disclosure causes any serious harm.19 Moreover, the disclosure of the information will be taken never to have been a Breach.
In considering whether or not ‘serious harm’ is likely to result to an individual, consideration must be given to the kind of information and it’s sensitivity, the type of individuals that could have obtained access to the information and the likelihood that they obtained the information with the intention of causing harm to any of the individuals to whom the information relates.20
A determination is necessarily subjective, and if you are in any doubt as to whether or not your organization has committed an eligible breach, you should notify the Privacy Commissioner in any event.
If the Commissioner becomes aware that there are reasonable grounds to suspect a Breach, and it has not been reported, the Commissioner can direct an APP Entity to provide a statement in the format outlined above.21
A failure to comply with the requirements included in the New Act is deemed to be an interference with an individual’s privacy for the purposes of the Act.
The Commissioner has wide ranging powers to investigate, make determinations, and provide remedies in relation to non-compliance.
Serious or repeated interferences with the privacy of an individual can attract a maximum penalty of $360,000 for individuals and $1.8M for bodies corporate.22
Preventing a Breach
The New Act will come into force in a maximum of one year’s time, and possibly sooner. Businesses should use this time to ensure they are ready to comply once the New Act becomes operative. Specifically:
Dealing with a Breach
If you have any queries or comments about this New Act or how it affects your business, please contact Lorraine Madden or Iain Freeman.
[1] Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth).
[2] Ibid.
[3] Privacy Act 1998 (Cth) s 6
‘entity’ means:
[4] Privacy Act 1988 (Cth) Schedule 1 Australian Privacy Principle 11.
[5] Commonwealth, Parliamentary Debates, House of Representatives, 2016, (Senator the Honourable Brandis, Attorney-General), [1] to [4].
[6] Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth).
[7] Ibid, s 26WA.
An eligible data breach happens if:
[8] Commonwealth, Parliamentary Debates, House of Representatives, 2016, (Senator the Honourable Brandis, Attorney-General) [14].
[9] Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth), s 26WK.
[10] Ibid, s 26WK.
[11] Ibid, s 26WK(3) (a) and (4).
[12] Ibid, s 26WK(3) (b) and (c).
[13] Ibid, s 26WK(3) (d).
[14] Ibid, s 26WL (2) (a) to (c).
[15] Ibid, s 26 WL (2) (c).
[16] Ibid, s 26 WS.
[17] Ibid, s 26 WT.
[18] Ibid, s 26WH.
[19] Ibid, s 26WF.
[20] Ibid, s 26 WG.
[21] Ibid, 2 26 WR.
[22] Privacy Act 1998 (Cth) s 13G.