Privacy Data Breach Notification Requirements

by Dr Allison Stanfield

As of February 2018, new legislation will come into effect in Australia, that will require entities to notify individuals, and the Office of the Australian Information Commissioner (“OAIC”), of data breaches. Organisations in Australia will need to be more conscious than ever of the personal information they are handling, as the long-awaited Notifiable Data Breaches scheme (“NDB Scheme”) comes into effect.

Data privacy and protection in Australia is currently regulated through a mix of federal, state and territory legislation. The Privacy Act 1988 (Cth) (“the Act”) regulates the handling of “personal information”, which is any information that allows an individual to be personally identified. The Act applies to all Commonwealth public sector agencies, as well as private sector organisations which have an annual turnover of more than $3 million, are health service providers or which otherwise trade in personal information, including credit reporting bodies (“Entities”).

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (“the Amendment Act”) has established the NDB Scheme in Australia for the first time. Under the NDB Scheme, Entities must notify any individuals likely to be at risk of serious harm by a data breach.

Under the NDB Scheme, a data breach will arise in two ways:

  • When there has been unauthorised access to, or disclosure of, personal information; or
  • When circumstances arise, which are likely to give rise to unauthorised access or unauthorised disclosure to personal data.

Main differences between the Data Breach Notification and current data protection laws

Currently, pursuant to the terms of the Act as it stands, Australian Privacy Principle 11 (security of personal information), requires an Entity to take reasonable steps to protect personal information (Information) from misuse, interference and loss unauthorised access, modification or disclosure. However, there are currently no obligations to notify individuals of data breaches. This will change once the new legislation comes into effect, and organisations will be required to notify individuals of data breaches “as soon as practicable” after a breach has occurred.

The Amendment Act, which establishes the NDB Scheme, will commence on 22 February 2018 and will only apply to eligible data breaches that occur on, or after, that date.

What are the legal consequences of ignoring the regulation

Where an organisation breaches a mandatory notification requirement, the contravention is deemed to be an “interference with the privacy of an individual”. Entities may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties. This could result in the organisation being liable for a civil penalty of up to 2,000 penalty units, the current value of which is $210 per penalty unit, or $420,000. The penalty amount that an organisation may receive, will depend upon the circumstances of the case.

Secure destruction of personal data

Australian Privacy Principal 11 provides that if an Entity holds personal information about an individual and the Entity no longer needs the information, then the Entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified. This requirement does not apply where the personal information is contained in a “Commonwealth record” or where the Entity is required by law or a court/tribunal order to retain the personal information. This obligation applies even where the Entity does not physically possess the personal information, but has the right or power to deal with it.

A document destruction policy should be developed and staff informed about the policy and any procedures. The policy should deal with the destruction of hard copy records and electronic records. For example, if hard copy records are to be destroyed, how will the destruction be carried out, for example, by burning, shredding, pulping etc? If electronic records are to be destroyed, how will this be done? If the data is stored by a third party, how will that third party be instructed to destroy the data and more importantly, how will they verify that it has, indeed, been destroyed. Has data on backups been destroyed?

De-identification of personal information may be more appropriate than destruction where the de-identified information could provide further value or utility to the Entity or a third party.

Steps to be followed in the event of a breach

An Entity will be required to provide notice as soon as practicable to the OAIC and affected individuals where there are reasonable grounds to believe that an “eligible data breach” has occurred.

A data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, giving the information to the wrong person).

An eligible data breach will arise where a “reasonable person” would conclude that there is a likely risk of “serious harm” to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure. Although serious harm is not defined, it is likely to include serious physical, psychological, emotional, economic and financial harm, and even serious harm to reputation.

Serious harm will be likely if the harm is “more probable than not” having regard to a list of relevant matters set out in the Amendment Act. These matters include the sensitivity of the information, any security measures taken, such as encryption, and how easily those security measures could be overcome. The Entity is then obliged to:

  • Prepare a statement containing certain prescribed information about the data breach and provide it to the OAIC; and
  • Take steps to notify the affected individuals. The steps required will depend upon the circumstances, but will usually include sending the statement to the individual via usual means of communication (this is, what is usual between the Entity and the individual).

If the Entity has reasonable grounds to suspect an eligible data breach has occurred, then the Entity is not obliged to provide notification, however, the Entity will be required to complete a “reasonable and expeditious” assessment into the relevant circumstances within 30 days.

There are a number of exceptions to the notification obligation, such as where an Entity has taken remedial action to address potential harm to individuals that may arise due to a relevant data breach before any serious harm is caused to individuals to whom the information relates. Other exceptions covering law enforcement, commonwealth secrecy requirements, data breaches impacting multiple entities and declarations by the Commissioner.

Organisations not covered by the Privacy Act 1988 (Cth)

At common law, a tort of invasion of privacy has been recognised by lower courts in Queensland and Victoria, and although the High Court in Australian Broadcasting Corporation v Lenah Game Meats (2001) 185 ALR 1, refrained from recognising a separate right to privacy, it left open the possibility of a new tort of invasion of privacy.

Further, if superior courts in Australia do have occasion to consider a common law right to privacy in future, there will be a number of overseas approaches to consider, including the ‘free standing’ tort of privacy, recognised in the United States of America and in New Zealand and the United Kingdom’s extension of the law of breach of confidence.

If an organisation is not an Entity covered by the Act, then the organisation can “opt in” pursuant to the Act. Although the Act may not require the organisation to describe how they deal with the personal information they encounter in their day-to-day running, it is best practice to do so, and the organisation should have a Privacy Policy setting out how it deals with personal information. By doing so, this adds credibility to the organisation and allows customers of the organisation to feel comfortable in providing information to the organisation.

Getting ready for DBN requirements

If an organisation fails to meet the DBN requirements, the consequences can be costly, not only in monetary terms, but also if customers make complaints and there is damage to reputation as a result.

Every organisation should be prepared and have a plan ready, which is made known to staff. Some key recommendations are:

  • Prepare a data breach response plan and train staff on its contents;
  • Identify how to remedy a breach in the event it does happen;
  • Review agreements with suppliers to ensure they also have privacy and DBN obligations that in line with the organisation’s obligations; make clear who is to notify individuals affected by a breach;
  • Prepare a draft data breach notification, so that if there is a breach, the organisation can move quickly;
  • Plan how notification will be undertaken if there is a breach, for example, by email, SMS or otherwise.

The important thing is to be prepared and make sure everyone in the organisation knows of the DBN requirements and to understand what is expected, should a breach occur.