How serious is serious? Mandatory notification of data breaches soon to become a reality

On 12 March 2014, following the introduction of a suite of privacy reforms, the requirements of organisations and agencies with respect to their receipt of, management of and release of  personal information under the Privacy Act 1988 (Cth) (Privacy Act) and the associated Australian Privacy Principles (APP) were extended and made far more proscriptive.  These reforms included:

• a requirement that organisations and agencies take reasonable steps to protect the personal information held by them from misuse, interference and loss, as well as unauthorised access, modification or disclosure – see APP 11; and
• the introduction of a voluntary system by which organisations and agencies could opt to report data breaches to Office of the Australian Information Commissioner (OAIC) – see the OAIC’s “Guide to Handling Personal Information Security Breaches” (note: the reporting of a data breach is not mandatory presently).

These requirements may now be extended further following the submission of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Bill) to the public for comment and in view of the likely successful passage of the Bill later this year.  If the Bill becomes law via the amendment of the Privacy Act, agencies and organisations would be required to notify the OAIC and affected individuals following a serious data breach. 

Could the proposed changes apply to me/my organisation or agency? 

Your entity will be required to comply with the proposed changes if it is an agency or an organisation (being an individual, company, partnership, trust or any unincorporated association with an annual turn over of $3 million or more in revenue in a year).

What is a “serious” data breach? 

A serious data breach would occur if personal information, credit reporting information, credit eligibility information or tax file information that an organisation or agency holds about one or more individuals is subject to unauthorised access or disclosure that puts any of the individuals to whom the information relates at real risk of serious harm or which would be likely to lead unauthorised access or disclosure that would put any of the individuals affected at real risk of serious harm.  The key distinction here is that a breach may deemed to have arisen even if it would only be likely to lead to a real risk of serious harm (rather than to certainly lead to such a risk).

What would my organisation or agency need to do if there is a serious data breach?

If your organisation or agency were to have reasonable grounds on which to believe that a serious data breach has occurred or arisen, it would be required to notify the OAIC and the affected individuals of that breach by way of issuing a notification statement.  By contrast, if your organisation or agency were to suspect that a serious data breach has arisen, it would have 30 days within which to assess whether notification is required. 

If your organisation or agency were to determine that it is necessary for it to issue a notification statement, the statement would need to address or include:

• the organisation or agency’s identity and contact details;
• a description of the serious data breach and the kinds of information affected; and
• recommendations about the steps the affected individuals should take in response to the serious data breach.

Your organisation or agency would then be required to provide a copy of the statement to the OAIC and to take reasonable steps to notify all of the affected individuals (this would most likely be by contacting the affected individuals by using whatever channels they normally use to contact those individuals – whether by email, post or phone).  If it is not possible to notify some of or all of the affected individuals, your organisation or agency would be required to publish the statement on its website and to take reasonable steps to publicise the statement.

How far would those notification requirements extend?

Your organisation or entity would not be required to comply with the mandatory notification procedure if:

• law enforcement related activities were to be affected by the notification;
• if a secrecy provision in another law applied; or
• the Privacy Commissioner (whether by his own initiative or on application by your organisation or agency) were to determine that notification of the breach would be contrary to the public interest.

What would happen if I/my organisation or agency fails to issue a notification as required? 

Many organisations and agencies have already expressed concerns about the potentially onerous implications of complying with the proposed changes – including the significant costs associated notifying affected individuals and the difficulty of setting up policies and procedures which will enable them to identify serious data breaches and to act on them in a timely manner.

Organisations and agencies must note that if they were to fail to comply with the proposed changes, they would:

• place themselves at risk of the Privacy Commissioner:
  • initiating an investigation into the entity’s non-compliance and/or issuing a binding determination on the non-compliance which may require the entity to apologise publicly, to pay compensation to the affected individual(s) or to take certain steps; or
  • in extreme circumstances, applying to the Federal Court or Federal Circuit Court to impose a civil penalty on the entity,
• place themselves at risk of serious reputational damage and/or loss of consumer or client confidence.

Lavan Legal Comment

With the successful passage of the Bill being highly likely, organisations and agencies need to start thinking now about whether they already have policies and procedures in place which would enable them to comply with these proposed changes. Although the prospect of enacting those policies and procedures may appear to be overwhelming and cost-intensive, by acting in advance agencies and organisations can ensure that they will be ready to comply with these changes as when they come in to force and in a cost-effective manner.  If you have any questions about the Bill or whether your organisation or agency is acting and operating in a manner which complies with the proposed changes, please contact Mathea McCubbing or Iain Freeman.