My general review of the Privacy Amendment (Privacy Alerts) Bill 2013.

June 4, 2013 |

In this post I have undertaken a general review of the Privacy Amendment (Privacy Alerts) Bill 2013 and each of its provisions.  The Bill’s homepage is found here.

SECOND READING SPEECH

In any review it is useful to set out the second reading speech of the Minister responsible for the legislation.  In this case that is the Attorney General, Mark Dreyfuss.

It provides:

The introduction of the Privacy Amendment (Privacy Alerts) Bill 2013 is the next key step in the government’s major reform of Australia’s privacy laws.

It is a long overdue measure that was recommended by the Australian Law Reform Commission in 2008.

It will introduce a new consumer privacy protection for Australians that will keep their personal information more secure in the digital age. It will also encourage agencies and private sector organisations to improve their data security practices.

In its 2008 privacy report, the Australian Law Reform Commission found that, as government agencies and large companies collected more and more personal information online, there was an increasing risk that this could become subject to data breaches. There were studies to show that the frequency of data breaches was increasing and their consequences were becoming more severe.

This trend has continued. For example, in recent years, there have been a number of high-profile data breaches in Australia and in other countries.

Customers of large, well-respected businesses have had their personal information compromised as a result of hacker attacks, poor security or just plain carelessness.

As recently as February this year, the Australian Broadcasting Corporation (ABC) revealed that the personal details of almost 50,000 internet users had been exposed online after the ABC’s main website was hacked.

This followed large-scale breaches in recent years at Telstra, Medvet and Sony Playstation.

A data breach can severely affect individuals whose personal information has been compromised.

Individuals can lose money when personal information relating to their finances finds its way into the wrong hands. They can be exposed to the risk of fraud and identity theft. And they can suffer embarrassment and distress when information contained in medical records is publicly revealed.

The government believes that individuals should know when their privacy has been interfered with. That is why the government is introducing this bill.

Currently, there is no requirement for agencies and organisations to notify affected individuals or the commissioner when they have suffered a data breach.

The commissioner has voluntary guidelines encouraging notification, but is concerned that many data breaches—perhaps a majority—are going unreported. The bill stops the gap in Australia’s privacy laws.

Australia is not the only jurisdiction to introduce a notification requirement.

Almost every state in the United States has introduced data breach notification laws. Canada has legislation in parliament. The European Union is developing a new directive that requires notification of data breaches. New Zealand is considering a similar law reform commission recommendation to introduce a mandatory notification scheme.

Australia should be a global leader in privacy protection as we grow our digital economy and more and more personal information goes online.

The bill provides that when an agency or organisation has suffered a serious data breach, it must notify the affected individuals and the Australian Privacy Commissioner.

Prompt notifications will allow individuals to take action to protect their personal information. Individuals will be able to reset passwords, cancel credit cards, improve their online security settings, and take other measures as they see fit.

The notification requirement will provide an incentive to businesses to store information securely. No business wants a reputation for not keeping its customers’ personal information safe.

Agencies and organisations will only have to provide notification of serious data breaches. A requirement to provide notification of all data breaches would impose an undue regulatory burden on businesses, and it would unnecessarily alarm many customers.

The notification must include information such as a description of the breach, the kinds of information concerned, recommendations about steps that individuals should take, and contact details of the entity.

The bill provides that the commissioner may direct an agency or organisation to provide affected individuals with notification of a data breach. This is a necessary measure in cases where an agency or organisation is recalcitrant or has simply made the wrong decision.

The bill also contains public interest and law enforcement exceptions. These are necessary where there are countervailing interests that outweigh the need to inform individuals about the data breach.

Where there is a failure to comply with a notification requirement, all the commissioner’s enforcement powers to investigate and make determinations will be available. This could result in personal and private apologies, compensation payments and enforceable undertakings.

In the case of serious or repeated noncompliance with notification requirements, this could lead to a civil penalty being imposed by a court.

The bill is part of the government’s ongoing commitment to the right to privacy.

Last year, the government introduced the most significant reforms to privacy law in Australia since the Privacy Act commenced in 1989. This bill will complement those new reforms, and that is why we intend to commence the bill at the same time in March 2014.

One of last year’s major reforms was the creation of the Australian privacy principles, which will apply to both government agencies and many private sector organisations.

Australian privacy principle 11 provides that entities regulated by the Privacy Act must have adequate security measures in place to protect personal information that they hold. The data breach notification requirement will complement Australian privacy principle 11 by requiring notification if there has been unauthorised access or disclosure, or loss, of that personal information.

Privacy is an important human right, and its continued protection in the digital era is becoming a major challenge for governments everywhere.

The right of an individual to control what happens with his or her personal information is an important aspect of the right to privacy.

The data breach notification requirement helps return control over their personal information to individuals.

The ALRC believed Australia’s privacy laws needed this change in 2008. The evidence since that time has been building and it is now clear that this reform is well overdue.

I commend the bill to the House.

 

DEFINITION OF TERMS

 Serious Data Breach (section 6(1))

A key term, serious data breach is defined as:

serious data breach has the meaning given by section 26X, 26Y, 26Z or 26ZA.

 The Explanatory Memorandum states:

Item 1 of Schedule 1 inserts a definition of ‘serious data breach’ into existing subsection 6(1) of the Privacy Act.  This Item provides that the term ‘serious data breach’ has the meaning given by section 26X, 26Y, 26Z or 26ZA, which are inserted into the Privacy Act by this Bill (see Item 4, below).

This definition is intended to capture data breaches that are significant enough to warrant notification.  This will ensure the Government does not create or impose an unreasonable compliance burden on entities regulated by the scheme, and avoid the risk of ‘notification fatigue’ among individuals receiving a large number of notifications in relation to non-serious breaches. 

 Issue

 A serious data breach is found, at section 26XZ(e), 26Y(e), 26Z(e) and 26ZA(e) if the preconditions are met in subsections (a) – (d) of each of those sections and if an individual is significantly affected, as determined by subsections (f) & (g) of each of the sections.  In that respect a serious breach is a conclusionary provision.  It is necessary to establish the preconditions in each of the other sub sections of each of those sections.

 Significantly affected (section 6(1))

The definition is:

significantly affected, in relation to an individual and in relation to a serious data breach, has the meaning given by section 26X, 26Y, 26Z or 26ZA.

The Explanatory Memorandum states:

Item 2 of Schedule 1 inserts a definition of ‘significantly affected’ into existing subsection 6(1) of the Privacy Act.  This Item provides that the term ‘significantly affected’, in relation to an individual and in relation to a serious data breach, has the meaning given by section 26X, 26Y, 26Z or 26ZA, which are inserted into the Privacy Act by this Bill (see Item 4, below).

This definition is intended to capture the individuals who are required to be notified in the event of a serious data breach.  First, that will be individuals who are at real risk of serious harm in the event of a serious data breach.  Secondly, it will also cover those individuals who are affected by serious data breaches involving particular categories of personal information, credit reporting information, credit eligibility information, or tax file number information that has been prescribed under the regulations (e.g. using the regulation-making power contained in subparagraph 26X(1)(d)(ii)).

Issue
 A serious data breach is found, at section 26XZ(e), 26Y(e), 26Z(e) and 26ZA(e) if the preconditions are met in subsections (a) – (d) of each of those sections and if an individual is significantly affected, as determined by subsections (f) & (g) of each of the sections.  In that respect a serious breach is a conclusionary provision.  It is necessary to establish the preconditions in each of the other sub sections of each of those sections.

Data Breach Notification (section 13(4))

Data breach notification is defined as:

          (4A)  If an entity (within the meaning of Part IIIC) contravenes section 26ZB or 26ZC, the contravention is taken to be an act that is an interference with the privacy of an individual.

The Explanatory Memorandum states:

Item 3 of Schedule 1 inserts a new subsection 13(4A) into the Privacy Act after new subsection 13(4), as included by the Privacy Amendment Act.  New subsection 13(4A) is titled ‘Data breach notification’, and provides that if an entity (within the meaning of Part IIIC) contravenes either new section 26ZB or 26ZC of the Privacy Act (which are inserted by this Bill), the contravention is taken to be an act that is an ‘interference with the privacy of an individual’.  Subsection 6(1) of the Privacy Act, as amended by the Privacy Amendment Act, provides that the term ‘interference with the privacy of an individual’ has the meaning given by section 13 to 13F of the Privacy Act.

The effect of new subsection 13(4A) of the Privacy Act will be to enable the Australian Information Commissioner (the Commissioner) to use the powers and access the remedies available to the Commissioner under the Privacy Act to investigate and address contraventions of section 26ZB or 26ZC.  These will include new powers that commence on 12 March 2014.  These include the capacity for the Commissioner to initiate own motion investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.

A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the Commissioner.  Serious or repeated interferences with the privacy of an individual attract a maximum penalty of 2,000 penalty units for individuals and 10,000 penalty units for bodies corporate

Issue

As the Explanatory Memorandum makes clear a contravention of section 26ZB, dealing with a failure to notify of a serious data breach, or 26ZC, failure to comply with a direction of the Privacy Commissioner’s direction to notify of a serious data breach, enlivens the Privacy Commissioner’s powers (commencing on 12 March 2014) to conduct own motion investigations, seek enforceable undertakings and bring civil penalty proceedings where there are serious or repeated interferences with privacy.  This gives significant power to the Commissioner to ensure that entities provide notice, even where they would much prefer to resolve the matter without notifying those whose personal information is being stored.

The enforcement rights available to the Commissioner under the Privacy Act  includes  a determination by the Commissioner that the  entity pay compensation and from March 2014 where there is a repeated or serious interference with the privacy civil penalty proceedings can be instituted.  The Federal Court can order penalties of up to $1.7m for a corporation.

Part IIIC—Data breach notification

26X  Serious data breach—APP entities

The Explanatory Memorandum states:

This section sets out the circumstances in which access to, or disclosure of, personal information will be a serious data breach where the personal information is held by an APP entity.  ‘APP entity’ is defined in subsection 6(1) of the Privacy Act and includes Commonwealth government agencies and private sector organisations regulated by the Privacy Act.  The provision refers to Australian Privacy Principle 11, which requires APP entities to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Unauthorised access or disclosure of personal information

            (1)  For the purposes of this Act, if:

                     (a)  an APP entity holds personal information relating to one or more individuals; and

                     (b)  the APP entity is required under section 15 not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information; and

                     (c)  there is unauthorised access to, or unauthorised disclosure of, the personal information; and

                     (d)  either:

                             (i)  the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the personal information relates; or

                            (ii)  any of the personal information is of a kind specified in the regulations;

then:

                     (e)  the access or disclosure is a serious data breach of the APP entity in relation to the personal information; and

                      (f)  if subparagraph (d)(i) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is an individual to whom the risk mentioned in that subparagraph relates; and

                     (g)  if subparagraph (d)(ii) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is:

                             (i)  an individual to whom the personal information relates; and

                            (ii)  an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

Note 1:       For harm, see section 26ZE.

Note 2:       For real risk, see section 26ZF.

The Explanatory Memorandum provides:

New subsection 26X(1), which is titled ‘Unauthorised access or disclosure of personal information’, establishes the circumstances that will constitute a ‘serious data breach’ when personal information is subject to unauthorised access or unauthorised disclosure.

New subsection 26X(1) provides that unauthorised access to, or unauthorised disclosure of, personal information will be a serious data breach if an APP entity holds personal information relating to one or more individuals, is required under section 15 of the Privacy Act to comply with Australian Privacy Principle 11.1, and either:

  • the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the personal information relates (subparagraph 26X(1)(d)(i)), or
  • any of the personal information is of a kind specified in the regulations (subparagraph 26X(1)(d)(ii)).

In this context, ‘serious harm’ includes harm to reputation and economic or financial harm (section 26ZE).  The risk of harm must be real (that is, not remote) for it to give rise to a serious data breach (section 26ZF).  In order not to impose an unreasonable compliance burden on APP entities and to avoid the risk of ‘notification fatigue’ among individuals receiving a large number of notifications in relation to non-serious breaches, it is not intended that every data breach be subject to a notification requirement.

The ability to make regulations to specify particular situations that may also be serious data breaches is intended to provide the flexibility to deal with data breaches that may not reach the threshold of a real risk of serious harm but should nevertheless be subject to notification.  These could include the release of particularly sensitive information such as health records which may not cause serious harm in every circumstance but should be subject to the highest level of privacy protection.

Paragraph 26X(1)(f) provides that, if subparagraph 26X(1)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is at real risk of serious harm from the access or disclosure of their personal information.  Paragraph 26X(1)(g) provides that, if subparagraph 26X(1)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the personal information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

This Item also inserts two Notes following new subsection 26X(1) and before new subsection 26X(2).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF.

The effect of this section is to establish the circumstances that will constitute a ‘serious data breach’ when personal information is subject to unauthorised access or unauthorised disclosure.

Issue

Section 26X (d)(i) and (g)(ii) refer to regulations which have not been promulgagted yet.  In the former case the regulations will specify the personal information involved and in the latter defines the scope of person who is taken to be significantly affected by the breach.

Subsections 26X(a) – (d) set out the pre conductions for access or disclosure to be regarded as a serious data breach (section 26X(e). They are:

  • an APP entity (that is a government agency or organisation bound by the Privacy Act) holds personal information relating to at least one individual (section 26X(a));
  • it is required, under section 15,  not to do an act or engage in a practice which breaches APP 11.1 (section 26X(b))

Section 15 provides:

An APP entity must not do an act, or engage in a practice, that breaches an Australian Privacy Principle.

APP 11.1 provides:

11.1     If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

                     (a)  from misuse, interference and loss; and

                     (b)  from unauthorised access, modification or disclosure.

  • there has been an unauthorised access or disclosure of personal information (section 26X(c))
  • that access or disclosure results in a real (which is defined as not remote) risk of serious harm to any of the individuals to who the personal information relates or the personal information is of a kind (section 26X(d))

The immediate issue is what steps are reasonable in all the circumstances.  The Privacy Commissioner has issued guidelines on what constitutes “reasonable steps”.  This issue has been dealt with by overseas privacy regulators and their considerations, based on longer experience, may also be relevant.  Importantly what the Federal Court finds on this issue will be critical.  For the moment the guidelines should be regarded as the starting point (but not the complete answer as they are drafted in general terms).

If the preconditions are met then the access/disclosure is a serious data breach and if that access/disclosure results in a real risk of serious harm to an individuals to whose personal information has been disclosed or accessed then that person is significantly affected (section 26X(f) or if the personal information is prescribed by information a person whose personal information was accessed or disclosed

 

Loss of personal information

            (2)  For the purposes of this Act, if:

                     (a)  an APP entity holds personal information relating to one or more individuals; and

 (b)  the APP entity is required under section 15 not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information; and

  (c)  the personal information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the personal information may occur; and

                     (d)  either:

(i)  assuming that unauthorised access to, or unauthorised disclosure of, the personal information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the personal information relates; or

                            (ii)  any of the personal information is of a kind specified in the regulations;

then:

                     (e)  the loss is a serious data breach of the APP entity in relation to the personal information; and

(f)  if subparagraph (d)(i) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is an individual to whom the risk mentioned in that subparagraph relates; and

 (g)  if subparagraph (d)(ii) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is:

                             (i)  an individual to whom the personal information relates; and

                            (ii)  an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

Note 1:       For harm, see section 26ZE.

Note 2:       For real risk, see section 26ZF.

The Explanatory Memorandum states:

New subsection 26X(2), which is titled ‘Loss of personal information’, establishes the circumstances that will constitute a ‘serious data breach’ when personal information is lost in a situation that may result in that personal information being subject to unauthorised access or unauthorised disclosure.

New subsection 26X(2) provides that the loss of personal information in circumstances where unauthorised access to, or unauthorised disclosure of, the personal information may occur will be a serious data breach if an APP entity holds personal information relating to one or more individuals, is required under section 15 of the Privacy Act to comply with Australian Privacy Principle 11.1, and either:

  • assuming that unauthorised access to, or unauthorised disclosure of, the personal information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the personal information relates (subparagraph 26X(2)(d)(i)), or
  • any of the personal information is of a kind specified in the regulations (subparagraph 26X(2)(d)(ii)).

Paragraph 26X(2)(f) provides that, if subparagraph 26X(2)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual would be at real risk of serious harm if the unauthorised access or unauthorised disclosure of their personal information were to occur.  Paragraph 26X(2)(g) provides that, if subparagraph 26X(2)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the personal information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

This Item also inserts two Notes following new subsection 26X(2) and before new subsection 26X(3).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF.

Issue

Sub section 25X(2) follows the structure adopted in sub section 26X(1).

Overseas recipients

            (3)  If:

                     (a)  an APP entity has disclosed personal information about one or more individuals to an overseas recipient; and

                     (b)  Australian Privacy Principle 8.1 applied to the disclosure of the personal information; and

                     (c)  the overseas recipient holds the personal information;

         this section has effect as if

(d)  the personal information were held by the APP entity; an

(e)  the APP entity were required under section 15 not to do an act, or engage in a practice, that breaches Australian  Privacy Principle 11.1 in relation to the personal information.

The Explanatory Memorandum states:

New subsection 26X(3), which is titled ‘Overseas recipients’, establishes the circumstances under which an APP entity will retain accountability for a ‘serious data breach’ involving personal information even though that APP entity might not be otherwise responsible for the breach due to the fact that the information has been disclosed to an overseas recipient.

New subsection 26X(3) provides that where:

  • an APP entity has disclosed personal information to an overseas recipient
  • APP 8.1 applied to that disclosure, and
  • the overseas recipient holds the personal information

then new section 26X of the Privacy Act applies to that cross-border transfer of personal information as if the personal information was held by the APP entity which was required under section 15 of the Privacy Act not to do an act, or engage in a practice, that breaches APP 11.1 in relation to the personal information. This means that the requirements of new subsections 26X(1) and 26X(2) apply, and the disclosing APP entity retains accountability under section 16C of the Privacy Act for that personal information, even if the data breach occurred offshore.

Issue

This provision is drafted consistent with the “accountability” principles in the Privacy Enhancement Act which will come into effect on 12 March 2014.

26Y  Serious data breach—credit reporting bodies

The Explanatory Memorandum states:

This section sets out the circumstances in which unauthorised access to, or unauthorised disclosure of, credit reporting information will be a serious data breach where the credit reporting information is held by a credit reporting body.  ‘Credit reporting information’ is defined in subsection 6(1) of the Privacy Act and includes the credit-related information about individuals collected by credit providers and disclosed to credit reporting bodies.  ‘Credit reporting body’ is defined in subsection 6(1) of the Privacy Act as an organisation that carries on a credit reporting business.  The provision refers to section 20Q of the Privacy Act.  Section 20Q is based on APP 11 and requires credit reporting bodies to, among other things, protect credit reporting information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Unauthorised access or disclosure of credit reporting information

            (1)  For the purposes of this Act, if:

                     (a)  a credit reporting body holds credit reporting information relating to one or more individuals; and

                     (b)  the credit reporting body is required to comply with section 20Q in relation to the credit reporting information; and

                     (c)  there is unauthorised access to, or unauthorised disclosure of, the credit reporting information; and

                     (d)  either:

(i)  the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit reporting  information relates; or

                            (ii)  any of the credit reporting information is of a kind specified in the regulations;

then:

 (e)  the access or disclosure is a serious data breach of the credit reporting body in relation to the credit reporting information; and

(f)  if subparagraph (d)(i) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is an individual to whom the risk mentioned in that subparagraph relates; and

(g)  if subparagraph (d)(ii) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is:

                             (i)  an individual to whom the credit reporting information relates; and

                            (ii)  an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

Note 1:       For harm, see section 26ZE.

Note 2:       For real risk, see section 26ZF.

Explanatory Memorandum states:

New subsection 26Y(1), which is titled ‘Unauthorised access or disclosure of credit reporting information’, establishes the circumstances that will constitute a ‘serious data breach’ when credit reporting information is subject to unauthorised access or unauthorised disclosure.

New subsection 26Y(1) provides that unauthorised access to, or unauthorised disclosure of, credit reporting information will be a serious data breach if a credit reporting body holds credit reporting information, is required to comply with section 20Q of the Privacy Act, and either:

  • the unauthorised access or unauthorised disclosure will result in a real risk of serious harm to any of the individuals to whom the credit reporting information relates (subparagraph 26Y(1)(d)(i)), or
  • any of the credit reporting information is of a kind specified in the regulations (subparagraph 26Y(1)(d)(ii).

Paragraph 26Y(1)(f) provides that, if subparagraph 26Y(1)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is at real risk of serious harm from the access or disclosure of their credit reporting information.  Paragraph 26Y(1)(g) provides that, if subparagraph 26Y(1)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the credit reporting information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

This Item also inserts two Notes following new subsection 26Y(1) and before new subsection 26Y(2).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF.

Issue

This provision applies to entities who are required to comply with section 20Q which provides:

20Q  Security of credit reporting information

(1)  If a credit reporting body holds credit reporting information, the body must take such steps as are reasonable in the circumstances to protect the information:

(a)  from misuse, interference and loss; and

(b)  from unauthorised access, modification or disclosure.

(2)  Without limiting subsection (1), a credit reporting body must:

(a)  enter into agreements with credit providers that require the providers to protect credit reporting information that is disclosed to them under this Division:

(i)  from misuse, interference and loss; and

(ii)  from unauthorised access, modification or disclosure; and

(b)  ensure that regular audits are conducted by an independent person to determine whether those agreements are being complied with; and

(c)  identify and deal with suspected breaches of those agreements.

This provision is focused on unauthorised access or disclosure.

Loss of credit reporting information

            (2)  For the purposes of this Act, if:

                     (a)  a credit reporting body holds credit reporting information relating to one or more individuals; and

                     (b)  the credit reporting body is required to comply with section 20Q in relation to the credit reporting information; and

  (c)  the credit reporting information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the credit reporting information may occur; and

                     (d)  either:

 (i)  assuming that unauthorised access to, or unauthorised disclosure of, the credit reporting information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit reporting information relates; or

                            (ii)  any of the credit reporting information is of a kind specified in the regulations;

then:

                     (e)  the loss is a serious data breach of the credit reporting body in relation to the credit reporting information; and

  (f)  if subparagraph (d)(i) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is an individual to whom the risk mentioned in that subparagraph relates; and

(g)  if subparagraph (d)(ii) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is:

                             (i)  an individual to whom the credit reporting information relates; and

                            (ii)  an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

Note 1:       For harm, see section 26ZE.

Note 2:       For real risk, see section 26ZF.

Explanatory Memorandum

New subsection 26Y(2), which is titled ‘Loss of credit reporting information’, establishes the circumstances that will constitute a ‘serious data breach’ when credit reporting information is lost in a situation that may result in that personal information being subject to unauthorised access or unauthorised disclosure.

New subsection 26Y(2) provides that the loss of credit reporting information in circumstances where unauthorised access to, or unauthorised disclosure of, the credit reporting information may occur will be a serious data breach if the credit reporting body holds credit reporting information relating to one or more individuals, is required to comply with section 20Q of the Privacy Act, and either:

  • assuming that unauthorised access to, or unauthorised disclosure of, credit reporting information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit reporting information relates (subparagraph 26Y(2)(d)(i)), or
  • any of the credit reporting information is of a kind specified in the regulations(subparagraph 26Y(2)(d)(ii)).

Paragraph 26Y(2)(f) provides that, if subparagraph 26Y(2)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual would be at real risk of serious harm if the unauthorised access to, or unauthorised disclosure of, the credit reporting information were to occur.  Paragraph 26Y(2)(g) provides that, if subparagraph 26Y(2)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the credit reporting information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

This Item also inserts two Notes following new subsection 26Y(2) and before new subsection 26Y(3).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF.

Issue

This sub section is drawn in broader terms than 26Y(1) in that it provides that personal information has been lost where therre may, but not definitely, has been unauthorised disclosure or access.

26Z  Serious data breach—credit providers

Explanatory Memorandum states:

This section sets out the circumstances in which access to or disclosure of credit eligibility information will be a serious data breach where the credit eligibility information is held by a credit provider.  ‘Credit eligibility information’ is defined in subsection 6(1) of the Privacy Act as including credit reporting information disclosed to a credit provider by a credit reporting body and information derived from the credit reporting information.  ‘Credit provider’ is defined in section 6G of the Privacy Act as including a bank or other organisation that provides credit as a substantial part of its business or undertaking.  The provision refers to section 21S of the Privacy Act.  Section 21S is based on APP 11 and requires credit providers, among other things, to protect credit eligibility information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Issue

Where 26Y covered credit reporting entities, section 26Z applies to credit providers.  Otherwise the structure remains essentially the same in each section.

Unauthorised access or disclosure of credit eligibility information

            (1)  For the purposes of this Act, if:

                     (a)  a credit provider holds credit eligibility information relating to one or more individuals; and

                     (b)  the credit provider is required to comply with subsection 21S(1) in relation to the credit eligibility information; and

                     (c)  there is unauthorised access to, or unauthorised disclosure of, the credit eligibility information; and

                     (d)  either:

(i)  the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit eligibility information relates; or

                            (ii)  any of the credit eligibility information is of a kind specified in the regulations;

then:

(e)  the access or disclosure is a serious data breach of the credit provider in relation to the credit eligibility information; and

(f)  if subparagraph (d)(i) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is an individual to whom the risk mentioned in that subparagraph relates; and

(g)  if subparagraph (d)(ii) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is:

                             (i)  an individual to whom the credit eligibility information relates; and

                            (ii)  an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

Note 1:       For harm, see section 26ZE.

Note 2:       For real risk, see section 26ZF.

Explanatory Memorandum states:

New subsection 26Z(1), which is titled ‘Unauthorised access or disclosure of credit eligibility information’, establishes the circumstances that will constitute a ‘serious data breach’ when credit eligibility information is subject to unauthorised access or unauthorised disclosure.

New subsection 26Z(1) provides that unauthorised access to, or unauthorised disclosure of, credit eligibility information will be a serious data breach if a credit provider holds credit eligibility information, is required to comply with subsection 21S(1) of the Privacy Act, and either:

  • the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit eligibility information relates (subparagraph 26Z(1)(d)(i)), or
  • any of the credit eligibility information is of a kind specified in the regulations (subparagraph 26Z(1)(d)(ii)).

Paragraph 26Z(1)(f) provides that, if subparagraph 26Z(1)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is at real risk of serious harm from the access or disclosure of their credit eligibility information. Paragraph 26Z(1)(g) provides that, if subparagraph 26Z(1)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the credit eligibility information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

This Item also inserts two Notes following new subsection 26Z(1) and before new subsection 26Z(2).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF.

Loss of credit eligibility information

            (2)  For the purposes of this Act, if:

                     (a)  a credit provider holds credit eligibility information relating to one or more individuals; and

                     (b)  the credit provider is required to comply with subsection 21S(1) in relation to the credit eligibility information; and

 (c)  the credit eligibility information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the credit eligibility information may occur; and

                     (d)  either:

(i)  assuming that unauthorised access to, or unauthorised disclosure of, the credit eligibility information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit eligibility information relates; or

                            (ii)  any of the credit eligibility information is of a kind specified in the regulations;

then:

                     (e)  the loss is a serious data breach of the credit provider in relation to the credit eligibility information; and

 (f)  if subparagraph (d)(i) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is an individual to whom the risk mentioned in that subparagraph relates; and

 (g)  if subparagraph (d)(ii) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is:

                             (i)  an individual to whom the credit eligibility information relates; and

                            (ii)  an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

Note 1:       For harm, see section 26ZE.

Note 2:       For real risk, see section 26ZF.

The Explanatory Memorandum states:

This Item also inserts two Notes following New subsection 26Z(2), which is titled ‘Loss of credit eligibility information’, establishes the circumstances that will constitute a ‘serious data breach’ when personal information is lost in a situation that may result in that credit eligibility information being subject to unauthorised access or unauthorised disclosure.

New subsection 26Z(2) provides that the loss of credit eligibility information in circumstances where unauthorised access to, or unauthorised disclosure of, the credit eligibility information may occur will be a serious data breach if the credit provider holds credit eligibility information relating to one or more individuals, is required to comply with section 21S(1) of the Privacy Act, and either:

  • assuming that unauthorised access to, or unauthorised disclosure of, credit eligibility information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit eligibility information relates (subparagraph 26Z(2)(d)(i)), or
  • any of the credit eligibility information is of a kind specified in the regulations (subparagraph 26Z(2)(d)(ii)).

Paragraph 26Z(2)(f) provides that, if subparagraph 26Z(2)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual would be at real risk of serious harm if the unauthorised access to, or unauthorised disclosure of, the credit eligibility information were to occur.  Paragraph 26Z(2)(g) provides that, if subparagraph 26Z(2)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the credit eligibility information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

new subsection 26Z(2) and before new subsection 26Z(3).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF.

Bodies or persons with no Australian link

            (3)  If:

                     (a)  either:

(i)  a credit provider has disclosed, under paragraph 21G(3)(b) or (c), credit eligibility information about one or more individuals to a related body corporate, or person, that does not have an Australian link; or

(ii)  a credit provider has disclosed, under subsection 21M(1), credit eligibility information about one or more individuals to a body or person that does not have an Australian link; and

                     (b)  the related body corporate, body or person holds the credit eligibility information;

this section has effect as if:

                     (c)  the credit eligibility information were held by the credit provider; and

                     (d)  the credit provider were required to comply with subsection 21S(1) in relation to the credit eligibility information.

Note:          See section 21NA.

The Explanatory Memorandum states:

New subsection 26Z(3), which is titled ‘Bodies or persons with no Australian link’, establishes the circumstances under which a credit provider will retain accountability for a ‘serious data breach’ involving credit eligibility information that was disclosed to a body or person with no Australian link.

New subsection 26Z(3) provides that where:

  • either:
  • a credit provider has disclosed, under paragraph 21G(3)(b) or (c) of the Privacy Act, credit eligibility information about one or more individuals to a related body corporate, or person, that does not have an Australian link, or
  • a credit provider has disclosed, under subsection 21M(1) of the Privacy Act, credit eligibility information about one or more individuals to a body or person that does not have an Australian link, and
  • the related body corporate, body or person holds the credit eligibility information

then new section 26Z of the Privacy Act applies to that transfer of credit eligibility information as if the credit eligibility information were held by the credit provider, and the credit provider were required to comply with subsection 21S(1) of the Privacy Act in relation to the credit eligibility information.  This means that the requirements of new subsections 26Z(1) and 26Z(2) apply, and the credit provider retains accountability for that credit eligibility information, even where a credit provider discloses credit eligibility information to a recipient that does not have an Australian link.  The term ‘Australian link’ is used to define the entities that are subject to the operation of the Privacy Act, and is used, for example, in new section 5B, APP 8 and throughout the credit reporting provisions.  This subsection will apply where credit eligibility information has been disclosed by the credit provider to the entities listed in the specified circumstances, and where these entities hold that information.

This Item also inserts a Note following new subsection 26Z(3) and before new section 26ZA.  The Note provides a cross-reference to section 21NA of the Privacy Act.  That section provides that credit providers may, where they satisfy the requirements of clause 21NA, disclose credit eligibility information to an entity that does not have an Australian link.  Types of overseas entities to which a credit provider may choose to disclose credit eligibility information may include a credit provider’s agents or related body corporates, as well as a credit provider’s credit managers or debt collectors.

Issue

Consistent with the underlying principles in the Privacy Enhancement amendments this sub section makes the credit provider accountable for the information it has disclosed to a related body corporate or a party which does not have an Australian link. An issue may be finding of fact as to the descriptor of the third party who receives the information.

26ZA  Serious data breach—file number recipients

Section 26ZA uses the same framework as sections 26X and Y.  It relates to the loss of or unauthorised access or disclosure to tax file information.

Explanatory Memorandum states:

This section sets out the circumstances in which unauthorised access to, or unauthorised disclosure of, tax file number information will be a serious data breach where the tax file number information is held by a file number recipient.  ‘Tax file number’ and ‘tax file number information’ are defined in section 6(1) of the Privacy Act.  The provision refers to sections 17 and 18 of the Privacy Act.  Section 17 provides that the Commissioner must issue guidelines concerning the collection, storage, use and security of tax file number information.  Section 18 provides that a file number recipient shall not do an act, or engage in a practice, that breaches a guideline issued under section 17.

Unauthorised access or disclosure of tax file number information

            (1)  For the purposes of this Act, if:

                     (a)  a file number recipient holds tax file number information relating to one or more individuals; and

 (b)  the file number recipient is required under section 18 not to do an act, or engage in a practice, that breaches a section 17 rule that relates to the tax file number information; and

                     (c)  there is unauthorised access to, or unauthorised disclosure of, the tax file number information; and

                     (d)  either:

(i)  the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the tax file number information relates; or

                            (ii)  any of the tax file number information is of a kind specified in the regulations;

then:

(e)  the access or disclosure is a serious data breach of the file number recipient in relation to the tax file number information; and

 (f)  if subparagraph (d)(i) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is an individual to whom the risk mentioned in that subparagraph relates; and

(g)  if subparagraph (d)(ii) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is:

                             (i)  an individual to whom the tax file number information relates; and

                            (ii)  an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

Note 1:       For harm, see section 26ZE.

Note 2:       For real risk, see section 26ZF.

The Explanatory Memorandum states:

New subsection 26ZA(1), which is titled ‘Unauthorised access or disclosure of tax file number information’, establishes the circumstances that will constitute a ‘serious data breach’ when tax file number information is subject to unauthorised access or unauthorised disclosure.

New subsection 26ZA(1) provides that unauthorised access to, or unauthorised disclosure of, tax file number information will be a serious data breach if a file number recipient holds tax file number information, is required to comply with sections 17 and 18 of the Privacy Act, and either:

  • the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the tax file number information relates (subparagraph 26ZA(1)(d)(i)), or
  • any of the credit eligibility information is of a kind specified in the regulations (subparagraph 26ZA(1)(d)(ii)).

New paragraph 26ZA(1)(f) provides that, if subparagraph 26ZA(1)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is at real risk of serious harm because of the unauthorised access to, or unauthorised disclosure of, their tax file number information. Paragraph 26ZA(1)(g) provides that, if subparagraph 26ZA(1)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the tax file number information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

This Item also inserts two Notes following new subsection 26ZA(1) and before new subsection 26ZA(2).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF.

Loss of tax file number information

            (2)  For the purposes of this Act, if:

                     (a)  a file number recipient holds tax file number information relating to one or more individuals; and

 (b)  the file number recipient is required under section 18 not to do an act, or engage in a practice, that breaches a section 17 rule that relates to the tax file number information; and

 (c)  the tax file number information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the tax file number information may occur; and

                     (d)  either:

(i)  assuming that unauthorised access to, or unauthorised disclosure of, the tax file number information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the tax file number information relates; or

                            (ii)  any of the tax file number information is of a kind specified in the regulations;

then:

                     (e)  the loss is a serious data breach of the file number recipient in relation to the tax file number information; and

 (f)  if subparagraph (d)(i) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is an individual to whom the risk mentioned in that subparagraph relates; and

(g)  if subparagraph (d)(ii) applies—an individual is significantly affected by the serious data breach if, and only if, the individual is:

                             (i)  an individual to whom the tax file number information relates; and

                            (ii)  an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

Note 1:       For harm, see section 26ZE.

Note 2:       For real risk, see section 26ZF.

The Explanatory Memorandum states:

New subsection 26ZA(2), which is titled ‘Loss of tax file number information’, establishes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                thecircumstances that will constitute a ‘serious data breach’ when tax file number information is lost in a situation that may result in that personal information being subject to unauthorised access or unauthorised disclosure.

New subsection 26ZA(2) provides that the loss of tax file number information in circumstances where unauthorised access to, or unauthorised disclosure of, the tax file number information may occur will be a serious data breach if the file number recipient holds tax file number information relating to one or more individuals; is required to comply with sections 17 and 18 of the Privacy Act, and either:

  • assuming that unauthorised access to, or unauthorised disclosure of, tax file number information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit eligibility information relates (subparagraph 26ZA(2)(d)(i)), or
  • any of the tax file number information is of a kind specified in the regulations (subparagraph 26ZA(2)(d)(ii)).

Paragraph 26ZA(2)(f) provides that, if subparagraph 26ZA(2)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual would be at real risk of serious harm if the unauthorised access to, or unauthorised disclosure of, the tax file number information were to occur.  Paragraph 26ZA(2)(g) provides that, if subparagraph 26ZA(2)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the tax file number information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach.

This Item also inserts two Notes following new subsection 26ZA(2) and before the heading for new Division 2––Notifying serious data breaches.  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF.

Division 2—Notifying serious data breaches

26ZB  Entity must notify serious data breach

The Explanatory Memorandum states:

This section sets out the circumstances in which an entity must provide notification of a serious data breach and to whom notification must be given.  The section also sets out the circumstances in which an entity may be exempt from an obligation to notify a serious data breach.

            (1)  If an entity believes on reasonable grounds that there has been a serious data breach of the entity in relation to:

                     (a)  personal information; or

                     (b)  credit reporting information; or

                     (c)  credit eligibility information; or

                     (d)  tax file number information;

the entity must, as soon as practicable after forming that belief:

                     (e)  prepare a statement that complies with subsection (2); and

                      (f)  give a copy of the statement to the Commissioner; and

(g)  if the general publication conditions are not satisfied—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals significantly affected by the serious data breach that the entity believes has happened; and

                     (h)  if the general publication conditions are satisfied:

                             (i)  publish a copy of the statement on the entity’s website (if any); and

(ii)  cause a copy of the statement to be published in each State by being published in at least one newspaper circulating generally in that State.

Note:          For general publication conditions, see subsection (12).

The Explanatory Memorandum states:

New subsection 26ZB(1) provides that if an entity believes on reasonable grounds that there has been a serious data breach of the entity in relation to either personal information, credit reporting information, credit eligibility information or tax file number information, the entity must, as soon as practicable after forming that belief:

  • prepare a statement that complies with new subsection 26ZB(2) (paragraph 26ZB(1)(e)) (a paragraph 26ZB(1)(e) statement)
  • give a copy of the paragraph 26ZB(1)(e) statement to the Commissioner (paragraph 26ZB(1)(f))
  • if the general publication conditions are not satisfied, take such steps as are reasonable in the circumstances to notify the contents of the paragraph 26ZB(1)(e) statement to each of the individuals significantly affected by the serious data breach that the entity believes has happened (paragraph 26ZB(1)(g)), and
  • if the general publication conditions are satisfied:
  • publish a copy of the paragraph 26ZB(1)(e) statement on the entity’s website (if any) (subparagraph 26ZB(1)(h)(i)), and
  • cause a copy of the statement to be published in each State by being published in at least one newspaper circulating generally in that State (subparagraph 26ZB(1)(h)(ii)).

This Item also inserts a Note following new subsection 26ZB(1) and before new subsection 26ZB(2).  The Note provides a cross-reference to subsection 26ZB(12), which contains the general publication conditions.

The concept in paragraph 26ZB(1)(g) of ‘taking such steps as are reasonable in the circumstances’ is used elsewhere in the Privacy Act.  As noted in the Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the phrase ‘reasonable in the circumstances’ is an objective test that ensures that the specific circumstances of each case have to be considered when determining the reasonableness of the steps in question.

This flexibility is necessary given the different types of entities that are to be regulated under the new scheme.  For example, for entities with particular functions or engaged in certain activities, it may not be ‘reasonable in the circumstances’ to notify about a data breach.  For example, it may not be reasonable in the circumstances for a Commonwealth agency or private sector organisation to notify particular individuals about a data breach, where that organisation has been advised by a law enforcement agency or intelligence agency that notification might prejudice or adversely affect a law enforcement investigation or intelligence related activity.  However, the entity would still be required to comply with paragraph 26ZB(1)(f) and provide a copy to the Commissioner.

Issue

This subsection will require careful consideration of what constitutes “reasonable grounds” for a belief that there has been a data breach.  A suspicion warranting further enquiry, which may take time, is different to immediate knowledge of a theft of data, such as credit card details which has occurred in the past.  Modern day hacking covers both situations and those that lay between.  In America there have been instances of hackers accessing data bases but not been definitively discovered for some time.  A glitch in a system may be just that.  These are findings of fact that will be important in determining whether to notify of a breach. The Explanatory Memorandum acknowledges the need for flexibility. It is likely that the Federal Court to set down the general principles. Overseas jurisprudence or at least the extensive academic analysis of this issue may be influential in formulating those principles.

Another issue is what are the parameters of “as soon as practicable”?  That will be a lesser problem once a belief of unauthorised access has been reached.  Prudence would dictate a rapid response.  Entities which have established protocols for such an eventuality will be better placed to meet criticism and answer any enquiries of the Privacy Commissioner than those who have no process in place.

The provisions of sub section (e) – (h) codify the response that must be taken.  Significantly for an entity, the Privacy Commissioner must be notified (subsection (f).

       (2)  The statement referred to in paragraph (1)(e) must set out:

                     (a)  the identity and contact details of the entity; and

                     (b)  a description of the serious data breach that the entity believes has happened; and

                     (c)  the kinds of information concerned; and

 (d)  recommendations about the steps that individuals should take in response to the serious data breach that the entity believes has happened; and

                     (e)  such other information (if any) as specified in the regulations.

The Explanatory Memorandum states:

New subsection 26ZB(2) sets out the contents of the paragraph 26ZB(1)(e) statement that an entity must prepare to give notice of a serious data breach.  These are based on the matters in the current OAIC Data Breach Notification: A guide to handling personal information security breaches.  The statement must include:

  • the identity and contact details of the entity (paragraph 26ZB(2)(a))
  • a description of the serious data breach that the entity believes has happened (paragraph 26ZB(2)(b))
  • the kinds of information concerned (paragraph 26ZB(2)(c))
  • recommendations about the steps that individuals should take in response to the data breach that the entity believes has happened (paragraph 26ZB(2)(d)), and
  • any other information (if any) as specified in the regulations (paragraph 26ZB(2)(e)).

This means that, if the conditions in any regulations are met, instead of taking steps to notify each individual about the contents of the paragraph 26ZB(1(e) statement, the entity may make a general publication in relation to the serious data breach.  New subsection 26ZB(12) provides that the regulations may declare one or more specified conditions to be general publication conditions.  It is envisaged that the regulations will deal with situations where it is impossible for the entity to contact each affected individual or where an attempt to contact each individual would be ineffective.  Paragraph 26ZB(1)(h) provides that where an entity makes a general publication it must publish a copy of the notification on its website (if it has one) and cause a copy of the notification to be published in each State in at least one newspaper circulating generally in that State.

Issue

This subsection sets out what needs to be in a statement by an entity who has to notify of a serious data breach.  The provision anticipates regulations.  The Explanatory Memorandum makes it clear that this provisions is based on the recent Privacy Commissioners’s Data Breach Notification guide.

Clearly the statement will need to be carefully framed to deal with the fact situation; the nature of the breach, the information accessed or lost and what remedial action can be taken.  The entity must set out its own identity and contact details.  It needs to describe the nature of the serious data breach, a task that may be more complicated that appears at face value.  It is also important to draft careful advice to person(s) affected by the breach as how to respond.  That may include recommendation to change passwords in some instances.  If it involves financial information that may require notification to the bank and cancelling credit cards. It is difficult to frame a one response fits all type situation as personal information is so diverse and the access to or loss of personal information may not be the totality of the information held by the entity.  Each case must be dealt with on its merits.  Having some process to respond to a breach at least provides a structure to respond quickly, analyse the situation appropriately and notify accurately.

Method of providing the statement to an individual

(3)  If the entity normally communicates with an individual using a particular method, the notification to the individual under paragraph (1)(g) may use that method. This subsection does not limit paragraph (1)(g).

Explanatory Memorandum states:

Without limiting paragraph 26ZB(1)(g), new subsection 26ZB(3), which is titled ‘Method of providing the statement to an individual’, provides that where an entity normally communicates with an individual using a particular method, any notifications provided to the individual under paragraph 26ZB(1)(g) may use that method.  This is intended to reduce the cost of compliance for entities but also to ensure that individuals receive notifications through communication channels that they expect relevant entities to use.  Where there is no normal mode of communication with the particular individual the entity must take reasonable steps to communicate with him or her.  Reasonable steps could include contact by email, telephone or post.

Issue

This subsection entrenches the requirement that the usual form of communication with others regarding their information is the default position.

Exception—enforcement related activities

            (4)  Paragraphs (1)(g) and (h) do not apply if:

                     (a)  the entity is an enforcement body; and

 (b)  the enforcement body believes on reasonable grounds that compliance with those paragraphs would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, the enforcement body.

Explanatory Memorandum states:

New subsection 26ZB(4), which is titled ‘Exception—enforcement related activities’, provides that new paragraphs 26ZB(1)(g) and 26ZB(1)(h) of the Privacy Act do not apply if the relevant entity is a law enforcement body that believes on reasonable grounds that compliance with those paragraphs would be likely to prejudice one or more enforcement?related activities conducted by, or on behalf of, the enforcement body.

‘Enforcement body’ and ‘enforcement related activities’ are defined in subsection 6(1) of the Privacy Act.  The effect of this provision is that a law enforcement body is not required to notify affected individuals of the contents of the paragraph 26ZB(1)(e) statement, either individually or in compliance with the general publication conditions specified in subsection 26ZB(12).  However, the entity must still comply with paragraphs 26ZB(1)(e) (i.e., the entity must prepare a statement that complies with new subsection 26ZB(2)) and 26ZB(1)(f) (i.e. the entity must give a copy of that statement to the Commissioner).

This exception is intended to ensure that the legitimate activities of enforcement bodies are not disrupted or affected by the notification requirement.  However, it does not extend to serious data breaches that are not related to enforcement activities such as the inadvertent disclosure of personal information unrelated to investigations or intelligence gathering.  It also ensures that notification to the Commissioner is still required, so that the Commissioner can advise and assist enforcement bodies in responding to data breaches, and can continue to collect important information about data breaches to assist in combating or addressing them into the future.

Issue

Enforcement body is a defined term.  It is found in the Privacy (Enhancing Privacy) Act 2013.  It is one of, as found in section 6(1):

(ba) the CrimTrac Agency; or

(ca)  the Immigration Department; or

(ea)  the Office of the Director of Public Prosecutions, or a similar body established under a law of a State or Territory; or

(la)  the Corruption and Crime Commission of Western Australia; or

Enforcement related activity is also a defined term.  It is defined as:

                     (a)  the prevention, detection, investigation, prosecution or punishment of:

                              (i)  criminal offences; or

                             (ii)  breaches of a law imposing a penalty or sanction; or

                     (b)  the conduct of surveillance activities, intelligence gathering activities or monitoring activities; or

                     (c)  the conduct of protective or custodial activities; or

                     (d)  the enforcement of laws relating to the confiscation of the proceeds of crime; or

                     (e)  the protection of the public revenue; or

                      (f)  the prevention, detection, investigation or remedying of misconduct of a serious nature, or other conduct prescribed by the regulations; or

                     (g)  the preparation for, or conduct of, proceedings before any court or tribunal, or the implementation of court/tribunal orders.

While the definitions are drawn broadly they do not cover all activities one would expect an enforcement body to undertake.  Similarly it will be necessary to cross reference whether a body is “a similar body established under a law of a State or Territory” 6(1)(ea)

Exception—Commissioner’s notice

(5)  The Commissioner may, by written notice given to an entity, exempt the entity from subsection (1) in such circumstances as are specified in the notice.

Explanatory Memorandum states:

New subsection 26ZB(5), which is titled ‘Exception—Commissioner’s notice’, provides that the Commissioner may, by written notice given to an entity, exempt that entity from the requirement to notify contained in new subsection 26ZB(1), in such circumstances that are contained in that written notice (a subsection 26ZB(5) notice).

Issue

This subsection enables the Privacy Commissioenr to excempt an entity for providing notice of the unauthoriised disclosure.  The notice is not an instrument as such but given the Privacy Commissioner can determine the circumstances in which the exemption is granted care will need to be taken to draft and read the notice.  The width of the operation of the exemption is defined by the terms of the notice.

(6)  The Commissioner must not give a notice under subsection (5) unless the Commissioner is satisfied that it is in the public interest to do so.

Explanatory Memorandum states:

New subsection 26ZB(6) provides that a subsection 26ZB(5) notice can only be given when the Commissioner is satisfied that it is in the public interest to do so. It is expected that the Commissioner will develop guidance in consultation with agencies and organisations on what factors will need to be taken into account in determining whether issuing a notice will be in the public interest.

In that respect, the ALRC commented that such a provision could cover situations, for example, where there is a law enforcement investigation being undertaken into a data breach breach and notification would impede that investigation, or where the information concerned matters of national security.   This provision is intended to cover cases of that nature (where these activities, or the information concerned, are not already exempt from the scheme), particularly where a private sector organisation suffers the data breach and is responsible for reporting.  In those situations, a Commonwealth agency or private sector organisation would have grounds to seek this exemption on advice from an enforcement body or intelligence agency.

Issue

This subsection restricts the Privacy Commissioner to exempt an entity for providing notice of the unauthorised disclosure.  The notice is not an instrument as such but given the Privacy Commissioner can determine the circumstances in which the exemption is granted care will need to be taken to draft and read the notice.  The width of the operation of the exemption is defined by the terms of the notice.

The public interest test has long been part of the Privacy Act framework (for example see sections 66, 70 ) and Part VI,  mechanisms for Public Interest determinations (which have been subject of amendment in the Privacy Enhancement Act. It has not however been the subject of judicial consideration

(7)  The Commissioner may give a notice under subsection (5) to an entity:

                     (a)  on the Commissioner’s own initiative; or

                     (b)  on application made to the Commissioner by the entity.

Explanatory Memorandum:

New subsection 26ZB(7) provides that the Commissioner may issue a subsection 26ZB(5) notice either on the Commissioner’s own initiative or on application made by the entity.  A decision by the Commissioner to refuse to issue a subsection 26ZB(5) notice will be reviewable by the Administrative Appeals Tribunal (see Item 5 below).

Issue

Given the appeal rights available to an entity under section 96 of the Act it is important that the application be drafted carefully.  It is that document upon which the Commissioner will give or refuse to give an exemption.

            (8)  If:

                     (a)  an entity applies to the Commissioner under paragraph (7)(b); and

                     (b)  the Commissioner decides to refuse the application;

the Commissioner must give written notice of the refusal to the entity.

The Explanatory Memorandum states:

New subsection 26ZB(8) provides that, where the Commissioner refuses an application made by an entity under paragraph 26ZB(7)(b) for a subsection 26ZB(5) notice, the Commissioner must give written notice of the refusal.

Issue

The Commissioner must give written notice and that notice will be part of the decision that is reviewable by the Administrative Appeals Tribunal under section 96 of the Privacy Act (as amended as of 12 March 2014).

(9)  If:

                     (a)  an entity forms a belief about a serious data breach as mentioned in subsection (1); and

 (b)  as soon as practicable after forming that belief, the entity applies to the Commissioner for a notice under subsection (5) in relation to the serious data breach;

then:

                     (c)  subsection (1) does not apply to the entity in relation to the serious data breach during the period:

                             (i)  beginning when the entity formed the belief; and

                            (ii)  ending when the Commissioner makes a decision in relation to the application for the notice; and

 (d)  if the Commissioner makes a decision to refuse to give the notice—subsection (1) has effect as if the entity had formed the belief when the Commissioner made the decision.

Explanatory Memorandum states:

New subsection 26ZB(9) provides that, if an entity forms a belief that a serious data breach has occurred (paragraph 26ZB(9)(a)), and, as soon as practicable after forming that belief, the entity applies to the Commissioner for a subsection 26ZB(5) notice (paragraph 26ZB(9)(b)); the requirement to notify contained in new subsection 26ZB(1) will not apply during the period beginning when the entity formed the belief that a serious data breach has occurred, and ending when the Commissioner makes a decision about the application (paragraph 26ZB(9)(c)).  This provision is intended to make it clear that the entity will not be in breach of notification obligations while its application for a subsection 26ZB(5) notice is being considered by the Commissioner.

New paragraph 26ZB(9)(d) provides that if the Commissioner decides to refuse to give a subsection 26ZB(5) notice, subsection 26ZB(1) applies from the date of the Commissioner’s decision.  That is, where the Commissioner refuses an application for a subsection 26ZB(5) notice, the entity must comply with its obligations under paragraphs 26ZB(1)(e) – (h) as soon as practicable following that decision.

Issue

Sub section (9) operates to “stop the clock” at least temporaily, on notification.  If the entity has a belief that there has been a serious data breach and it applies for a notice under sub section (5) for an exemption to provide notification then sub section 1 does not apply from the time of the belief being formed and the Commissioner’s decision.  The time starts when the decision is made to refuse the notice.

What the provision does not address is what happens if an application is made to the AAT, as is an entity’s right.  Issues of stay come into consideration.  It is arguable that a stay is necessary, or would be granted by the AAT as an interim measure,   if an application to review is made given the fact that the alternative effectively nullifies the benefit of appealing the Commissioner’s deicsion to refuse to grant a notice.

Again. what is “as soon as practicable” may need to be clarified by the Federal Court in light of this area of law which involves discrete issues not common to other areas of administrative law or common law generally.

Exception—inconsistency with secrecy provisions

(10)  If compliance by an entity with paragraph (1)(f), (g) or (h) would, to any extent, be inconsistent with a provision of a law of the Commonwealth (other than a provision of this Act) that prohibits or regulates the use or disclosure of information, subsection (1) does not apply to the entity to the extent of the inconsistency.

Explanatory Memorandum states:

New subsection 26ZB(10), which is titled ‘Exception—inconsistency with secrecy provisions’, provides that, if compliance by an entity with paragraph 26ZB(1)(f), (g) or (h) of the Privacy Act would, to any extent, be inconsistent with a provision of a law of the Commonwealth (other than a provision of the Privacy Act) that prohibits or regulates the use or disclosure of information, the requirement to notify contained in subsection 26ZB(1) does not apply to the entity to the extent of the inconsistency.

The effect of this provision is to make it clear that the secrecy provisions contained in other Commonwealth legislation prevails over the requirement to notify in subsection 26ZB(1) of the Privacy Act.  For example, subsection 26ZB(10) will ensure that there is no conflict between the Privacy Act and the provisions of other acts which prohibit disclosure of official information or secrets by Commonwealth officers (such as sections 70 and 79 of the Crimes Act 1914 (Cth)).

Issue

This provision will require careful cross referencing with and consideration of provisions in other legislation to determine whether there is inconsistency and the extent to which it applies.

Exception—data breach notified under the Personally Controlled Electronic Health Records Act 2012

(11)  Subsection (1) does not apply to a serious data breach if the breach has been notified under section 75 of the Personally Controlled Electronic Health Records Act 2012.

Explanatory Memorandum states:

New subsection 26ZB(11), which is titled ‘Exception— data breach notified under Personally Controlled Electronic Health Records Act 2012’, provides that subsection 26ZB(1) does not apply to a serious data breach if the breach has been notified under section 75 of the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act).  This provision has the effect of preventing the imposition of a double notification requirement on entities that have complied with section 75 of the PCEHR Act in relation to the same data breach.

General publication conditions

         (12)  The regulations may declare that one or more specified conditions are general publication conditions for the purposes of this section.

Explanatory Memorandum states:

New subsection 26ZB(12), which is titled ‘General publication conditions’, provides that the regulations may declare that one or more specified conditions are general publication conditions for the purposes of new section 26ZB of the Privacy Act.  It is envisaged that the regulations will deal with situations where it is impossible for the entity to contact each affected individual or where an attempt to contact each individual would be ineffective.

Issues

The form and scope of the regulations will be important.

26ZC  Commissioner may direct entity to notify serious data breach

The Explanatory Memorandum states:

This section provides the Commissioner with the power to direct an entity to provide notification of a serious data breach.  It is envisaged that this provision may be enlivened in circumstances such as where a serious data breach comes to the attention of the Commissioner but has not come to the attention of an entity.

            (1)  If the Commissioner believes on reasonable grounds that there has been a serious data breach of an entity in relation to:

                     (a)  personal information; or

                     (b)  credit reporting information; or

                     (c)  credit eligibility information; or

                     (d)  tax file number information;

the Commissioner may, by written notice given to the entity, direct the entity to:

                     (e)  prepare a statement that complies with subsection (2); and

                      (f)  give a copy of the statement to the Commissioner; and

(g)  if the general publication conditions are not satisfied—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals significantly affected by the serious data breach that the Commissioner believes has happened; and

                     (h)  if the general publication conditions are satisfied:

                             (i)  publish a copy of the statement on the entity’s website (if any); and

(ii)  cause a copy of the statement to be published in each State by being published in at least one newspaper circulating generally in that State.

Note:          For general publication conditions, see subsection (8).

Explanatory Memorandum states:

New subsection 26ZC(1) provides that if the Commissioner believes on reasonable grounds that there has been a serious data breach of the entity in relation to either personal information, credit reporting information, credit eligibility information or tax file number information, the Commissioner may, by written notice given to the entity, direct the entity to:

  • prepare a statement that complies with new subsection 26ZC(2) (paragraph 26ZC(1)(e)) (a paragraph 26ZC(1)(e) statement)
  • give a copy of the paragraph 26ZC(1)(e) statement to the Commissioner (paragraph 26ZC(1)(f))
  • if the general publication conditions are not satisfied, take such steps as are reasonable in the circumstances to notify the contents of the paragraph 26ZC(1)(e) statement to each of the individuals significantly affected by the serious data breach that the Commissioner believes has happened (paragraph 26ZC(1)(g)), and
  • if the general publication conditions are satisfied:
  • publish a copy of the paragraph 26ZC(1)(e) statement on the entity’s website (if any), (subparagraph 26ZC(1)(h)(i)), and
  • cause a copy of the paragraph 26ZC(1)(e) statement to be published in each State by being published in at least one newspaper circulating generally in that State (subparagraph 26ZC(1)(h)(ii))

This Item also inserts a Note following new subsection 26ZC(1) and before new subsection 26ZC(2).  The Note provides a cross-reference subsection 26ZC(8), which provides general publication conditions.

Issue

The powers given to the Privacy Commissioenr are broadly drawn and extensive.   Care will need to be taken in drafting and interpreting the scope of the notice.

(2)  The statement referred to in paragraph (1)(e) must set out:

                     (a)  the identity and contact details of the entity; and

                     (b)  a description of the serious data breach that the Commissioner believes has happened; and

                     (c)  the kinds of information concerned; and

 (d)  recommendations about the steps that individuals should take in response to the serious data breach that the Commissioner believes has happened; and

                     (e)  such other information (if any) as specified in the regulations.

Explanatory Memorandum states:

New subsection 26ZC(2) sets out the contents of the paragraph 26ZC(1)(e) statement that an entity must prepare to give notice of a serious data breach.  These are based on the matters in the current OAIC Data Breach Notification: A guide to handling personal information security breaches.  The paragraph 26ZC(1)(e) statement must include:

  • the identity and contact details of the entity (paragraph 26ZC(2)(a))
  • a description of the serious data breach that the Commissioner believes has happened (paragraph 26ZC(2)(b))
  • the kinds of information concerned (paragraph 26ZC(2)(c))
  • recommendations about the steps that individuals should take in response to the data breach that the Commissioner believes has happened (paragraph 26ZC(2)(d)), and
  • any other information (if any) as specified in the regulations (paragraph 26ZC(2)(e)).

This means that, if the conditions in any regulations are met, instead of taking steps to notify each individual, the entity may make a general publication in relation to the serious data breach.  New subsection 26ZC(8) provides that the regulations may declare one or more specified conditions to be general publication conditions.  It is envisaged that the regulations will deal with situations where it is impossible for the entity to contact each affected individual or where an attempt to contact each individual would be ineffective.  Paragraph 26ZC(1)(h) provides that where an entity makes a general publication it must publish a copy of the notification on its website (if it has one) and cause a copy of the notification to be published in each State in at least one newspaper circulating generally in that State.

Issue

This provision is drafted in exhaustive terms.  That said it also provides that the statement must include information which is specified in the regulations.  Care should be taken to determine if that which is specified with the regulations is intra vires.

Method of providing the statement to an individual

            (3)  If the entity normally communicates with an individual using a particular method, the notification to the individual mentioned in paragraph (1)(g) may use that method. This subsection does not limit paragraph (1)(g).

Explanatory Memorandum states:

Without limiting paragraph 26ZC(1)(g), new subsection 26ZC(3), which is titled ‘Method of providing the statement to an individual’, provides that where an entity normally communicates with an individual using a particular method, any notifications provided to the individual under paragraph 26ZC(1)(g) may use that method.  This is intended to reduce the cost of compliance for entities but also to ensure that individuals receive notifications through communication channels that they expect relevant entities to use.  Where there is no normal mode of communication with the particular individual the entity must take reasonable steps to communication with him or her.  Reasonable steps could include contacting by email, telephone or post.

Compliance with direction

            (4)  An entity must comply with a direction under subsection (1) as soon as practicable after the direction is given.

Explanatory memorandum states:

New subsection 26ZC(4), which is titled ‘Compliance with direction’, provides that an entity must comply with a direction given by the Commissioner under subsection 26ZC(1) (a subsection 26ZC(1) direction) as soon as practicable after the direction is given.

Issue

The question of what is as soon as praciticable is not specified.  The circumstances an entity finds itself in may be relevant in determining compliance.

Exception—enforcement related activities

            (5)  The Commissioner must not give a direction under subsection (1) to an entity if:

                     (a)  the entity is an enforcement body; and

 (b)  the chief executive officer of the enforcement body has given the Commissioner a certificate stating that the enforcement body believes on reasonable grounds that compliance with the direction would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, the enforcement body.

Explanatory Memorandum

New subsection 26ZC(5), which is titled ‘Exception—enforcement related activities’, provides that the Commissioner must not give a subsection 26ZC(1) direction to an entity that is a law enforcement body if the chief executive officer of that law enforcement body has given the Commissioner a certificate stating that the enforcement body believes on reasonable grounds that compliance with the direction would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, the enforcement body.

‘Enforcement body’ and ‘enforcement related activities’ are defined in subsection 6(1) of the Privacy Act.  This exception is intended to ensure that the legitimate activities of enforcement bodies are not disrupted or affected by the notification requirement.  However, it does not extend to serious data breaches that are not related to enforcement activities such as the inadvertent disclosure of personal information unrelated to investigations or intelligence gathering.  The requirement that the chief executive of the enforcement body provide the Commissioner with a certificate will ensure that the Commissioner can be assured that the enforcement body has formed the relevant belief on reasonable grounds.

This exception will apply in relation to notification to individuals.  As noted above, the effect of subclause 26ZB(4) is that an enforcement body will still be required to notify all serious data breaches to the Commissioner.  The exception in subclause 26ZC(5) does not exempt an enforcement body from that requirement.

Exception—inconsistency with secrecy provisions

(6)  If compliance by an entity with so much of a direction under subsection (1) as is covered by paragraph (1)(f), (g) or (h) would, to any extent, be inconsistent with a provision of a law of the Commonwealth (other than a provision of this Act) that prohibits or regulates the use or disclosure of information, paragraph (1)(f), (g) or (h), as the case may be, does not apply to the entity to the extent of the inconsistency.

The Explanatory Memorandum states:

New subsection 26ZC(6), which is titled ‘Exception—inconsistency with secrecy provisions’, provides that, if compliance by an entity with a subsection 26ZC(1) direction as is covered by paragraph 26ZC(1)(f), (g) or (h) would, to any extent, be inconsistent with a provision of a law of the Commonwealth (other than a provision of this Act) that prohibits or regulates the use or disclosure of information, paragraph 26ZC(1)(f), (g) or (h), as the case may be, does not apply to the entity to the extent of the inconsistency.

The effect of this provision is to make it clear that the secrecy provisions contained in other Commonwealth legislation prevails over the requirement to comply with a subsection 26ZC(1) direction.  For example, subsection 26ZC(6) will ensure that there is no conflict between the Privacy Act and the provisions of other acts which prohibit disclosure of official information or secrets by Commonwealth officers (such as sections 70 and 79 of the Crimes Act 1914 (Cth)).

Exception—data breach notified under the Personally Controlled Electronic Health Records Act 2012

 (7)  The Commissioner must not give a direction under subsection (1) in relation to a serious data breach if the breach has been notified under section 75 of the Personally Controlled Electronic Health Records Act 2012.

The Explanatory Memorandum states:

New subsection 26ZC(7), which is titled ‘Exception— data breach notified under Personally Controlled Electronic Health Records Act 2012’, provides that the Commissioner must not give a subsection 26ZC(1) direction in relation to a serious data breach if the breach has been notified under section 75 of the PCEHR Act.  This provision has the effect of preventing the imposition of a double notification requirement on entities that have complied with section 75 of the PCEHR Act in relation to the same data breach.

General publication conditions

(8)  The regulations may declare that one or more specified conditions are general publication conditions for the purposes of this section.

The Explanatory Memorandum states:

New subsection 26ZC(8), which is titled ‘General publication conditions’, provides that the regulations may declare that one or more specified conditions are general publication conditions for the purposes of new section 26ZC of the Privacy Act.  It is envisaged that the regulations will deal with situations where it is impossible for the entity to contact each affected individual or where an attempt to contact each individual would be ineffective.

Issue

The scope and opeation of this  important term will not be known until the regulations are promulgated.

Division 3—General

26ZD  Entity

                   For the purposes of this Part, entity includes a person who is a file number recipient.

The Explanatory Memorandum states:

Section 26ZD provides that, for the purposes of the new Part IIIC—Data breach notification, ‘entity’ includes a person who is a file number recipient.

26ZE  Harm

                   For the purposes of this Part, harm includes:

                     (a)  harm to reputation; and

                     (b)  economic harm; and

                     (c)  financial harm.

The Explanatory Memorandum states:

Section 26ZE provides that, for the purposes of the new Part IIIC—Data breach notification, the word ‘harm’ includes harm to reputation, economic harm, and financial harm.  This is a non-exhaustive list and is in addition to the ordinary meaning of the word ‘harm’.  The section is included to provide clarity.

Issue

The threshhold of harm is potentially quite low.  It is significant that the legislature has opted for a non exhaustive list of harms which fall within this definition.  The attitude of the Commissioner and, more importantly and ultimately, judicial consideration will be important in determining the scope of this term.

Reputational harm, used in the context of defamation, is quite a modest bar to overcome in the normal course.  Clearly the facts will determine how a disclosure will affect one’s reputation.  That said the intent and underlying rationale of the Privacy Act is to allow governments or entities to gather and use personal information only for the purpose for which it is gathered, subject to the exceptions provided within the APPs.  Release of sensitive personal information would likely raise a reputational issues.

In United States privacy claims have often foundered because the plaintiiff’s have not been able to show econonic loss consequent upon the interference with privacy.  It will be interesting to see how easy it is to establish a claim of economic or financial harm as a consequence of a data breach.  Cases involving hacking of credit card details may clearly lead to such harms however leakage of a student number or an address may not draw any such causal link.  In Australia the Court of Appeal decision in Giller v Procopets found that mere distress was sufficient to found a basis for a breach of confidence involving the misuse of private information.  That decision followed the breach of confidence/privacy actions in the UK commencing with  the House of Lords decisions in Campbell v MGN and Douglas v Hello, both of which were cited with approval in Giller.   It is arguable that distress could constitute a harm for the purpose of this Bill if it is enacted.  Obviously it will need the right facts to prosecute such an argument.

26ZF  Real risk

                   For the purposes of this Part, real risk means a risk that is not a remote risk.

The Explanatory Memorandum states:

Section 26ZF provides that, for the purposes of the new Part IIIC—Data breach notification, the term ‘real risk’ means a risk that is not a remote risk.

This is an important threshold that is intended to exclude risks that are minor in nature.  It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of notification fatigue on the part of individuals, and the lack of utility where notification does not facilitate mitigation.  As is currently the case in the OAIC Data Breach Notification: A guide to handling personal information security breaches, it is expected that further practical guidance around the concept of a ‘real risk of serious harm’ will be included in revised OAIC guidance that complements these new reforms.

Issue

This term is drawn very widely.  Legally it is a very broad definition.  Fulfilling this requirement will probably not be a significant difficulty.  Needless to say judicial consideration will be inevitable and will set the parameters of the term.

After paragraph 96(1)(b)

Insert:

                    (ba)  a decision under section 26ZB to refuse to give a notice under subsection 26ZB(5);

                    (bb)  a decision under subsection 26ZC(1) to give a direction;

The Explanatory Memorandum states:

Item 5 of Schedule 1 inserts new paragraphs 96(1)(ba) and 96(1)(bb) into subsection 96(1) of the Privacy Act, after existing paragraph 96(1)(b).  The effect of this insertion is that new paragraphs 96(1)(ba) and 96(1)(bb) respectively provide that a decision by the Commissioner:

  • under section 26ZB to refuse to give a subsection 26ZB(5) notice that an entity is exempt from an obligation to notify a serious data breach, and
  • under section 26ZC to give a subsection 26ZC(1) direction to an entity to notify a serious data breach

will be subject to review by the Administrative Appeals Tribunal.

Issue

 A direction to noftify of a serious data breach and a notice to refuse an exemption notice are now both reviewable by the AAT.

Application of amendments—serious data breaches

(1)       Paragraphs 26X(1)(c), 26Y(1)(c), 26Z(1)(c) and 26ZA(1)(c) of the Privacy Act 1988 (as amended by this Schedule) apply to an access or disclosure that happens after the commencement of this item.

(2)       Paragraphs 26X(2)(c), 26Y(2)(c), 26Z(2)(c) and 26ZA(2)(c) of the Privacy Act 1988 (as amended by this Schedule) apply to a loss that happens after the commencement of this item.

The Explanatory Memorandum states:

Item 6 of Schedule 1 provides that the new Part IIIC of the Privacy Act to be inserted by this Bill applies to the access, disclosure, or loss of personal information, as well as credit reporting information, credit eligibility information and tax file number information that occurs after the commencement of Item 6.  That is, none of the provisions in the Bill will operate retrospectively.  Serious data breaches that occur after 12 March 2014 will be subject to the requirements of the new Part IIIC.

 

FINAL COMMENTS

This Bill if enacted will signficicantly increase the obligations upon entities to respond to data breaches.  While the Act is drafted as almost a code there is sufficient flexibility built in that the approach taken by the Privacy Commissioner and the interpretation of key provisions by the Federal Court and the  the AAT (as the case may be) will determine how it operates in practice.

This mandatory breach reporting regime may give rise to claims, based on the admissions contained in the breach notices.  Depending upon the nature of information in question there is a potential for class actions commenced in the Federal Court.  In this context the operation of section 98, involving a claim for an injunctive relief may be applicable.  Such a breach may give rise to a claim for damage because of  misleading conduct if the entity represented that data would be secured properly or to the appropriate standards or just securely.  Clearly what representations are made in any privacy policy or promotional material will need to be carefully drafted.  It is possible to formulate a claim in negligence or breach of contract arising out the data breach.

In privacy litigation there may be a real scope for development of the equitable claim of breach of confidence.  Part VIII of the Privacy Act specifically deals with the obligations of confidence owed by an agency. In  Michael James Austen v Civil Aviation Authority [1994] FCA 1104 and Breen v Williams  [1996] HCA 57 the Federald and High Courts were of the opinion that the provisions of Part VIII extends the remedies available in equity for breach of an obligation of confidence  It has been an underutlised provision of the Act but its use may be more effectively.

Leave a Reply