On 13 February 2017, the Australian Senate passed into law the Privacy Amendment (Notifiable Data Breaches) Bill 2016. This law amends the primary privacy and data protection legislation in Australia, Privacy Act 1988 (Cth), to introduce the long-anticipated mandatory data breach notification scheme. Under this scheme, all agencies and businesses that are regulated by the Privacy Act are required to provide notice to the Australian Information Commissioner and affected individuals of certain data breaches that are likely to result in “serious harm.”
Why is this scheme being introduced?
With advances in technology, various agencies and organisations are increasingly collecting and holding larger amounts of personal information in electronic form, such as medical records, bank account details, occupational history, and other sensitive information about individuals’ personal preferences. This raises serious data security concerns with respect to the unauthorised access to or disclosure of personal information. The potential damage caused by such data breaches can be detrimental and costly.
In view of the growing threat of data breaches, the Federal Government has already made several aborted attempts to legislate data breach notification provisions in 2013 and 2015. The newly-passed bill reflects the Federal Government’s renewed commitment to impose positive obligations on businesses that suffer serious data breaches to notify the affected individuals and provide remedial steps for those individuals to minimise the adverse impact that might arise from such breaches.
When do you need to comply?
The Federal Government will designate the date on which the scheme will come into force. The designated date must be within one year of the date on which the Governor-General gives Royal Assent to the bill, which is expected to happen within the next few weeks. Should the Federal Government fail to designate a date within that one-year period, the Privacy Act will come into force the day after the expirary of that period.
Who needs to comply?
The mandatory data breach notification scheme applies to all “APP Entities” that are regulated under the Privacy Act. Generally, these entities include:
- all private sector and not-for-profit organisations with an annual turnover of more than A$3 million;
- most Australian and Norfolk Island Government agencies;
- all private health service providers; and
- some small businesses;
who handle, use, and manage personal information (i.e., information or opinion about an identified individual or an individual who is reasonably identifiable, regardless of whether that information is true or recorded in a material form) and who are required to keep that information secure under the Privacy Act.
Further, credit reporting bodies holding credit reporting information, credit providers holding credit eligibility information, and file number recipients holding tax file numbers relating to one or more individuals are also required to comply with mandatory data breach notification provisions under the bill.
What triggers notification?
If you are required to comply with the mandatory data breach notification provisions, you must notify if:
- you have reasonable grounds to believe that an “eligible data breach” has happened; or
- you are directed to do so by the Commissioner.
An “eligible data breach” happens if:
- there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity; and
- a reasonable person would conclude that the access, disclosure, or loss is likely to result in serious harm to any of the individuals to whom the information relates.
It should be noted that the notification threshold is met only if the access, disclosure, or loss of information is “likely to result in serious harm.”
“Likely to result in”
The explanatory memorandum for the law states that the risk of serious harm occurring is “likely” if it is more probable than not. In deciding whether this is the case, the bill sets out a number of factors that may be considered:
- the kind(s) of information;
- the sensitivity of the information;
- whether the information is protected by one or more security measures;
- if the information is protected by one or more security measures, the likelihood that any of those security measures could be overcome;
- the persons, or the kind of persons, who have obtained, or who could obtain, the information;
- if a security technology or methodology (e.g., encryption) was used to secure the information, the likelihood that the persons who have obtained, or who could obtain, the information and have the intention of causing harm to any of the relevant individuals have obtained, or could have obtained, information or knowledge required to circumvent the security technology or methodology (e.g., encryption key);
- the nature of the harm; and
- any other relevant matters.
While the bill does not specify what constitutes a “serious harm,” the explanatory memorandum confirms that serious harm could include serious physical, psychological, emotional, economic, reputational, and financial harm, as well as other forms of serious harm that a reasonable person would identify as a possible outcome of the data breach.
Although individuals may experience personal distress as a result of a data breach, this is unlikely to itself be considered a “serious harm” and sufficient ground to require notification unless the objective “reasonable person” test is satisfied.
How do you notify?
If you suspect that an eligible data breach has occurred, you must carry out an assessment into the relevant circumstances within 30 days after you become aware of reasonable grounds for such suspicion.
In the event of an eligible data breach, you must serve a notice on the Commissioner and affected individuals as soon as possible after you become aware of such breach. Your notice must set out:
- your identity and contact details;
- a description of the eligible data breach that you have reasonable grounds to believe has happened;
- the kind of information concerned; and
- recommendations about the steps that the affected individuals should take in response to the eligible data breach.
When providing this notice, you may use the usual method of communication (if any) that you use to communicate with the affected individual.
There are limited exceptions to the data breach notification requirements. For example, if you have taken remedial action to rectify an eligible data breach or potential eligible data breach, and a reasonable person would conclude that such data breach is not likely to result in serious harm to the affected individuals as a result of your remedial action, you may not be required to notify.
Further, the Commissioner may give an exemption from notification requirements where the Commissioner is satisfied that is it reasonable to do so.
What happens if you don’t comply?
If you fail to comply with the notification requirements, the Commissioner may conduct investigations, make determinations, seek enforceable undertakings, order compensation, and/or impose a civil penalty of up to A$1.8 million if the breach is serious or repeated.
Jenny Han, in our Sydney office, contributed to this post.