Notifiable data breaches: do they affect your business?
22.02.18On 22 February 2018, new laws in respect of notifiable data breaches take effect altering the Privacy Act 1988 (Cth) (‘Privacy Act’) to impose additional obligations on businesses it impacts (‘APP Entities’).
Effectively the new legislation requires that if an APP Entity experiences an ‘Eligible Data Breach’ and unless an exemption applies, it is obligated to report the breach in a specific way, both to the Office of the Australian Information Commissioner (‘OAIC’) and the individuals affected by the breach.
The new laws are designed to allow individuals whose information has been compromised to take steps to mitigate the damage. There is, however, a degree of discretion for APP Entities such that they may only be required to report data breaches where the breach could result in serious harm.
1. Identifying and mitigating potential breaches
Should a potential breach be identified, an EPP Entity should first take steps to contain the breach and/or mitigate the risk of harm. Taking prompt action may allow an entity to avoid disclosing a breach on the basis they have prevented it from becoming an ‘Eligible Data Breach’.
An Eligible Data Breach is a breach where there is:
- unauthorised access, disclosure or loss of personal information (‘Unauthorised Conduct’);
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and
- no exemptions apply.
The importance of taking mitigation steps towards avoiding a potential breach becoming an Eligible Data Breach (‘Remedial Action’) is discussed further below at section 4.
2. Does it require reporting?
Regardless of whether the above process mitigates a potential breach, an APP Entity must consider whether it has ‘reasonable grounds’ to believe that the breach requires disclosure. Determining what is reasonable should be formalised into an assessment process that forms part of a business’ data handling policies (eg data collection, privacy, and so on) (‘Assessment’).
Importantly, the Act requires that an Assessment be undertaken even where there are merely reasonable grounds to suspect that there has been a relevant data breach. Should the Assessment substantiate suspicions (ie such that they become a reasonable belief), it may be the case that the situation must be reported to the OAIC within 30 days (should serious harm be likely).
3. What is serious harm?
Serious harm can include serious physical, psychological, emotional, economic, financial or even reputational harm.
The standard for whether harm is likely to result turns on factors including:
- the degree of sensitivity of the information and whether the information was protected by any security measures;
- the persons who have or could obtain the information; and
- any security technology in place and its potential ability to prevent a breach.
Should an APP Entity consider following Assessment that an Eligible Data Breach has occurred, the notification obligations are triggered pursuant to the Privacy Act.
4. Sensitive information
Any sensitive information is, per the guidance of the OAIC, more likely to bring about serious harm should Unauthorised Conduct occur. Sensitive information can include, for example, information of (‘Sensitive Information’):
- race;
- health information;
- political affiliation/opinions;
- memberships;
- religious beliefs;
- philosophical beliefs;
- sexual preferences/practices; or
- criminal records.
Should a breach involve Sensitive Information, best practice dictates that Assessment err on the side of caution in determining whether an Eligible Data Breach has occurred.
5. Do any exemptions apply?
Notwithstanding the above, should exemptions apply, an APP Entity may not be required to make disclosure. Exemptions include:
- where a reasonable person would conclude that Remedial Action prevents a potential breach from being likely to result in serious harm (note this action should be taken regardless of any other exemptions and is anticipated to be the most commonly relied upon);
- eligible data breaches of other entities holding the same records of breached information require that only one comply with notification requirements (eg joint ventures, outsourcing or shared service arrangements);
- enforcement related activities conducted by enforcement bodies do not require notifications to affected or at-risk individuals, though notification must still be made to the Commissioner;
- inconsistency with secrecy provisions, though only to the extent of that inconsistency;
- declaration by the Commissioner that a particular entity need not comply with notification requirements; and
- notification requirements triggered pursuant to the My Health Records Act 2012 (Cth) in respect of health information included in an individual’s ‘My Health Record’, which instead triggers notification provisions pursuant to different legislation.
6. Providing notification
Should there be an Eligible Data Breach and no exemptions apply, an APP Entity must promptly notify the Commissioner and affected or at-risk individuals via a statement in the prescribed from setting out (‘Notice’):
- the identity and contact details of the entity;
- a description of the Eligible Data Breach;
- the kinds of information to which the breach relates;
- recommendations about the steps that individuals should take in response; and
- should the APP Entity have reason to believe that the breach or likely breach involves other entities, set out those other entities and their respective contact details.
The Commissioner must be notified ‘as soon as practicable’. This timeframe is influenced by a number of factors including an APP Entity’s circumstances, the time and effort required to comply with notification requirements, associated costs, and so on.
The OAIC operates on the basis that an APP Entity should comply with notification requirements promptly, unless there are vitiating circumstances that impact its ability to do so.
Should it not be practicable to provide Notice to each affected or at-risk individual, it may be possible to satisfy the notification requirements by publishing the Notice on the website of the relevant APP Entity and taking reasonable steps to publicise its contents.
7. Penalties
Should an APP Entity fail to comply with notification requirements, the Commissioner has the ability to do some or all of the following:
- Undertake investigations;
- Demand compliance;
- Make determinations;
- Seek legally enforceable undertakings from the offending APP Entity;
- Pursue civil penalties for serious or repeat offenders of up to $360,000 for individuals or $1.8 million for organisations; and
- require the APP Entity make public or personal apologies.
8. How should businesses respond?
Once the amendments to the Privacy Act are operational, it is a requirement that all APP Entities comply with the new laws.
(a) Data response plan
The Privacy Act provides that an organisation to which it applies must take reasonable steps to protect the personal information it holds from misuse, interference, loss, unauthorised access, modification or disclosure. The OAIC considers that the requirement to undertake ‘reasonable steps’ may include preparing and implementing a data response plan. Data response plans are also an ideal way to ensure an APP Entity complies with its obligations to investigate potential breaches and mitigate damage.
A data response plan should include strategies for:
- assessing, managing and containing data breaches (eg steps to be taken by staff in the event of a suspected breach);
- mitigating data breaches;
- communications to facilitate for prompt notifications (where required);
- explaining what constitutes a data breach to staff;
- the internal chain of command for data breach reporting;
- recording data breaches, and
- conducting a post-breach review and assessment of responses.
(b) Compliance check
The amendments also serve as a timely reminder for businesses to review whether the Privacy Act applies to your business and the state of your current privacy policy. Of particular concern from a legal perspective are policies that are:
- particularly short (eg one page only);
- not tailored to the specifics of the business (which is a requirement);
- do not cite the correct legal entity; or
- do not include the correct details (eg how information is stored/secured, how disputes can be lodged with the Commissioner, how information can be accessed/changed, etc).
In light of the new amendments to the Privacy Act, data response plans are recommended for any businesses captured by the Privacy Act or that collect personal or Sensitive Information.
Ramsden Lawyers now offers privacy compliance checks on your business’ current preparedness to comply with the amendments and the Privacy Act generally. Should they be required, we can also assist you in developing assessment criteria for assessing potential Eligible Data Breaches or drafting/editing privacy policies.
Ramsden Lawyers’ Business Team regularly assists small to medium businesses in achieving compliance with the Privacy Act. Should you have any concerns in relation to the above please do not hesitate to contact us via our online enquiry system or alternatively on (07) 5592 1921.