Key Points
-
Bill passed to introduce mandatory data breach notification.
-
New disclosure requirements and penalties.
-
New exceptions.
After a long wait, the Australian Government has passed a Bill that will require organisations to notify individuals if an unauthorised person or group has had access to their personal information in a way that could cause serious harm.
Mandatory data breach notification was a recommendation of the Australian Law Reform Commission in its Report 108 For Your Information – Australian Privacy Law and Practice published in August 2008. It was not one of the recommendations picked up by the Government in its initial response to that report which saw the eventual introduction of the Australian Privacy Principles but it has been on the legislative agenda for several years. Finally, with the passing of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, it has become law.
In the absence of legislation dealing with the issue, in August 2014 the Office of the Australian Information Commissioner (OAIC) published Data Breach Notification: A Guide to Handling Personal Information Security Breaches which emphasised that good privacy practice required data breach notification. The Bill is consistent with the recommendations in that guide.
The changes will require businesses subject to the Privacy Act as well as government agencies to notify individuals “as soon as practicable” when an eligible data breach impacts them. The OAIC will also be given the power to direct a business or government agency to contact individuals when it is believed a serious data breach has occurred. If it is not practicable for the organisation to notify people directly, it must take reasonable steps to publicise a statement and publish it on its website.
Where there is uncertainty, the Bill attempts to strike a balance between the needs of entities and the needs of individuals. When businesses and agencies suspect an eligible data breach has occurred they will be required to conduct a reasonable assessment within 30 days. If, as a result of the assessment, they are able to reasonably form the view that an eligible data breach has occurred they will be obligated to notify the OAIC and affected individuals.
An eligible data breach occurs when:
- there is unauthorised access to, disclosure of, or loss of information held by a business or agency; and
- a reasonable person would consider the breach likely to cause serious harm to the people to whom the information relates.
Serious harm is determined by considering factors such as:
- the kind of information;
- the sensitivity of the information;
- whether the information is protected by mechanisms such as encryption;
- the likelihood of that protection being overcome;
- the person or people, or kind of persons, who have obtained access to the information.
Exceptions will apply in various circumstances, including:
- Where the data breach is experienced by more than one entity, only one entity will need to carry out the statutory obligations;
- Where action was taken to fix the breach before an individual suffers harm;
- If a notification would prejudice law enforcement related activity;
- Where a notification would be inconsistent with a secrecy provision; and
- At the Commissioner’s discretion.
Once commenced, penalties will apply for non-compliance with the laws.
The commencement date is yet to be announced, but will occur within the next 12 months.
Organisations wishing to prepare for the commencement of these amendments should familiarise themselves with OAIC’s guide to data breach notification.
Post by Ramza Martin and John Kell